# Critical Oracle E-Business Suite Flaw Under Active Exploitation  Threat intelligence company **Defused** has reported that attackers have begun actively exploiting a critical vulnerability, tracked as **CVE-2026-46817**, in the **Oracle E-Business Suite (EBS)** financial application. This flaw affects the File Transmission component of **EBS's Oracle Payments** product. ## Unauthenticated System Takeover **CVE-2026-46817** enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks. The severity of this issue is underscored by its potential for complete system compromise without prior authentication. **Oracle** addressed this vulnerability in its May 2026 Critical Security Patch Update and has strongly advised customers to apply the security patches without delay. The company has previously cautioned that successful attacks often occur when customers fail to apply available patches. ## Exploitation Confirmed by Defused While **Oracle** had not yet officially flagged **CVE-2026-46817** as exploited in the wild, **Defused** announced on Monday that active exploitation attempts were observed over the weekend. According to **Defused**, this vulnerability had no known prior exploitation and no public Proof-of-Concept (POC) code existed before these recent attacks.  ## Widespread Exposure and Past Incidents Internet security watchdog group **Shadowserver** currently tracks over 450 **Oracle EBS** instances exposed online, with nearly 200 located in the United States and Europe. The exact number of these instances that have been secured against the ongoing attacks remains unknown.  This is not the first time **Oracle EBS** has been a target. The **Clop** extortion gang previously exploited another **Oracle EBS** security flaw (**CVE-2025-61882**) in zero-day attacks. These attacks targeted numerous U.S. universities, including **Harvard University**, the **University of Pennsylvania**, **Dartmouth College**, and the **University of Phoenix**, as well as organizations like the **Washington Post**, **Logitech**, and **GlobalLogic**. ## Recurring Oracle Vulnerabilities Earlier this month, the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** highlighted a high-severity **Oracle WebLogic Server** flaw (**CVE-2024-21182**), patched two years prior, as actively exploited. Weeks later, **Oracle** mitigated a critical **PeopleSoft Suite** zero-day vulnerability (**CVE-2026-35273**), which was exploited in **ShinyHunter** data theft attacks and allowed unauthenticated remote code execution. Over the past several years, **CISA** has identified 44 vulnerabilities across various **Oracle** products as exploited in the wild, with 13 of these also leveraged in ransomware attacks. This recurring pattern underscores the critical importance of timely patching and robust security practices for organizations utilizing **Oracle** products.