preloader

· security digital-security devops oracle erp cve cisa-kev vulnerability-management finance europe

Attackers Are Already Exploiting an Unauthenticated Oracle E-Business Suite Flaw That Reaches Straight Into Payment Data

Source: BleepingComputer

Oracle E-Business Suite, one of the most widely deployed ERP platforms in large European finance, manufacturing, and public sector organisations, has an unauthenticated, actively exploited flaw sitting directly on top of its payments module.

What the flaw does

CVE-2026-46817 is a critical, CVSS 9.8 improper privilege management vulnerability in the Oracle Payments File Transmission component of Oracle E-Business Suite. An attacker needs no credentials and no user interaction, and can reach the vulnerable component remotely over ordinary HTTP. Successful exploitation gives an external attacker control over Oracle Payments, with a direct line into payment workflows, financial records, and any enterprise system connected to that module.

Oracle actually addressed the underlying issue twice, once in its May 2026 Critical Patch Update and again in a supplementary update on 16 June, but organisations that had not applied either fix are now confirmed targets. Threat intelligence firm Defused observed an actor exploiting the flaw against honeypot Oracle E-Business Suite instances over the weekend, and CISA added the CVE to its Known Exploited Vulnerabilities catalogue on 15 July, giving US federal agencies until 18 July to remediate.

Why the payments angle raises the stakes

A vulnerability that reaches financial workflows is a different category of risk than one reaching a general application server. Oracle EBS deployments in Europe frequently sit behind, or directly process, payment runs, supplier disbursements, and financial reconciliation data covered by strict internal controls and, in many sectors, regulatory obligations under DORA and NIS2. An attacker with control of the Payments module is not just inside the network, they are positioned to manipulate or exfiltrate exactly the data an audit or incident report would need to explain to a regulator. Organisations that unknowingly missed either of Oracle’s two 2026 patches, common when patch cycles are quarterly rather than continuous, now have a live exploitation window rather than a theoretical one.

What to do now

Confirm your EBS instances are running the June 2026 supplementary Critical Patch Update or later immediately, and if they are not, treat this as an active incident: isolate the Payments File Transmission component from external access while you patch, and review logs for anomalous unauthenticated HTTP requests to that component going back to when the May patch was released. CISA’s binding deadline does not apply outside US federal agencies, but a confirmed weekend of active exploitation against honeypots is a strong signal that opportunistic scanning against real targets is already underway or imminent.

If your organisation runs Oracle E-Business Suite and needs help confirming patch levels, assessing exposure of financial modules, or building a faster patching cadence for ERP infrastructure that regulators expect to be current, contact Excello Digital. We help European finance and operations teams turn Oracle’s patch releases into confirmed, verified protection rather than an assumption.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!