Attackers have exploited a critical vulnerability in Oracle E-Business Suite's Payments module, specifically targeting the Oracle Payments File Transmission component in releases 12.2.3 through 12.2.15, just six weeks after Oracle issued a patch. The flaw, identified as CVE-2026-46817, has a CVSS score of 9.8 and allows unauthenticated attackers to read arbitrary files. Researchers first observed the exploitation on June 27, before any public proof-of-concept exploit was available1. This vulnerability was fixed in Oracle's May Critical Patch Update, but its exploitation underscores the speed at which attackers can move. The fact that attackers were able to exploit this flaw so quickly, even without public exploit code, highlights the importance of prompt patching and monitoring. This matters to practitioners because the disclosure of CVE-2026-46817 expands the active attack surface, making it crucial to prioritize mitigation based on exposure and exploitation evidence.
Oracle E-Business Suite was under attack via critical flaw before the public exploit code was even released
⚠️ Critical Alert
Why This Matters
CVE-2026-46817 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- The Register. (2026, July 2). Oracle E-Business Suite was under attack via critical flaw before the public exploit code was even released. *The Register*. https://www.theregister.com/cyber-crime/2026/07/02/oracle-e-business-suite-was-under-attack-via-critical-flaw-before-the-public-exploit-code-was-even-released/5265710
Original Source
The Register
Read original →