Over 900 Oracle E-Business Suite Instances Exposed Amid Active Exploitation of Critical Flaw
A critical vulnerability in **Oracle E-Business Suite (EBS)**'s Oracle Payments product, tracked as **CVE-2026-46817**, is actively being exploited, leaving over 900 instances exposed online. Threat actors are leveraging this flaw for unauthenticated HTTP takeover, prompting urgent calls for patching.

More than 900 instances of **Oracle E-Business Suite (EBS)** have been found exposed online as threat actors actively exploit a critical security vulnerability within the platform.
### Critical Flaw Under Active Attack
The vulnerability, identified as **CVE-2026-46817**, resides in the File Transmission component of EBS's **Oracle Payments** product. This flaw allows unprivileged malicious actors with HTTP network access to gain control of vulnerable systems through low-complexity attacks. **Oracle** addressed this critical issue in its May 2026 Critical Security Patch Update, urging customers to apply the patches immediately.
While **Oracle** had not previously flagged **CVE-2026-46817** as exploited in the wild, threat intelligence company **Defused** issued a warning on Monday, confirming active exploitation attempts observed over the weekend.
> "**CVE-2026-46817** (CVSS 9.8 unauth HTTP takeover in **Oracle E-Business**) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our **Oracle E-Business** honeypots. This vulnerability has no known previous exploitation and no public POC code exists."
### Widespread Exposure and Urgent Patching
Internet security watchdog **Shadowserver** also reported tracking approximately 950 **Oracle EBS** instances exposed online. However, it remains unclear how many of these systems have been secured against attacks exploiting **CVE-2026-46817**.

*Oracle EBS instances exposed online (**Shadowserver**)*
### A Pattern of Exploitation for Oracle Products
This latest exploitation follows a series of high-profile security incidents involving **Oracle** products:
* Last month, the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** added a high-severity **Oracle WebLogic Server** flaw, **CVE-2024-21182**, to its catalog of actively exploited vulnerabilities.
* Weeks later, **Oracle** mitigated a critical **PeopleSoft Suite** zero-day, **CVE-2026-35273**, which was exploited by the **ShinyHunters** extortion gang to achieve unauthenticated remote code execution and steal data from numerous organizations, including **Nottingham University** and the **National Association of Insurance Commissioners (NAIC)**.
* **Nissan** recently disclosed a data breach affecting employees, linked to the compromise of its **Oracle PeopleSoft** instance.
* Since early August 2025, the **Clop** extortion gang has exploited another **Oracle EBS** security flaw, **CVE-2025-61882**, in zero-day attacks targeting U.S. universities (**Harvard University**, the **University of Pennsylvania**, **Dartmouth College**, and the **University of Phoenix**), as well as high-profile entities like **Logitech**, **GlobalLogic**, and the **Washington Post**.
**CISA** has added 44 vulnerabilities across various **Oracle** products to its catalog of actively exploited flaws since November 2021, with 13 of these also being abused by ransomware groups. This ongoing trend underscores the critical importance for organizations to prioritize patching and robust security measures for their **Oracle** environments.