An undisclosed threat actor was observed this past weekend exploiting a 9.8 critical Oracle E-Business Suite (EBS) vulnerability.Threat intelligence firm Defused posted the news on X June 29, saying it saw the threat actor exploiting their Oracle EBS honeypots.Defused said this bug has no known previous exploitation and no public proof-of-concept (PoC) code exists.The bug — CVE-2026-46817 — was considered easily exploitable and lets unauthenticated attackers with network access via HTTP compromise Oracle Payments.It’s of note that Oracle patched the bug in late May as part of its monthly Critical Security Patch Update that fixed 77 vulnerabilities.Sagy Kratu, principal cybersecurity strategist Vicarius, explained that the roughly one-month gap between disclosure and exploitation is interesting because it cuts against the "minutes to exploitation" narrative that gets repeated a lot right now.Kratu said there’s actually a lot of good news here. First, this patch was part of a 77-vulnerability bundle, so when a CVE ships buried in a large CSPU, attackers have to triage the same patch diff everyone else does to figure out which of the 77 fixes are actually worth weaponizing.“That triage time is real, and it's a separate clock from the ‘exploit development’ clock everyone usually talks about,” said Kratu. “A single high-profile CVE with a published PoC gets reverse-engineered fast. A critical bug inside a 77-CVE patch Tuesday-style release has to be found first.”Second, Kratu said there was no public PoC here, and that’s the variable that usually compresses timelines the most. The 2023 Oracle EBS case is the cleaner example of fast exploitation, and that one moved quickly specifically because a PoC went public. The lack of a PoC means attackers were doing their own patch diffing or vulnerability research from scratch, and that’s slower than copying someone else's work.“The more useful question isn't why did this take two weeks, but why do organizations still need two weeks to patch something this severe?” posed Kratu. “Oracle EBS has now had three major exploitation events in under three years, and in every case the technical fix existed before the breach. That's not a detection problem. It's a remediation and patching velocity problem, especially for ERP systems where downtime risk makes security teams hesitant to patch quickly even with a 9.8 CVSS score sitting in front of them.”Shane Barney, chief information security officer at Keeper Security, added that security teams have long been operating on the assumption that a published PoC is the trigger for urgency: this case argues otherwise.Barney said whoever built this exploit had no “how-to” manual to work from: They took Oracle's patch for CVE-2026-46817, worked backward to figure out exactly what changed in that File Transmission component and built something that reliably triggers it against a live, unauthenticated system. The early activity we're seeing bears that out: attackers probing to see if they can pull arbitrary files off the server, the kind of test someone runs to confirm an exploit actually works before doing anything more serious with it.“Waiting for confirmed in-the-wild exploitation before treating a flaw this severe as urgent was never really safe, and this is a clear example of why,” said Barney. “Two weeks is roughly the time it took to do that work. It's also roughly the time most organizations need to safely test and deploy a fix to a system like E-Business Suite, where Payments and Financials modules are involved and a bad rollout can cause its own outage.”Denis Calderone, chief technology officer at Suzu Labs, said the Clop campaign that exploited CVE-2025-61882 across more than 100 Oracle EBS environments proved two things: First, that Oracle EBS is a target-rich environment full of financial, HR, and procurement data worth serious extortion money. And second, that a lot of organizations are running internet-exposed EBS instances and not patching fast enough.“CVE-2026-46817 looks like what follows when that kind of spotlight gets put on a platform,” said Calderone. “Different actors, different component, but the same exposed attack surface. And this time, the target is Oracle Payments' File Transmission module, the component that formats and transmits payment instructions, ACH batches, wire transfers, and EFT files directly to financial institutions.”John Watters, chief executive officer at iCounter, added that this isn’t just a critical Oracle bug: It’s a real-world example of adversaries moving from patch release to exploitation in weeks, even without a public PoC. “For enterprises, the risk extends beyond their own Oracle environment,” said Watters. “Oracle EBS often sits at the center of payments, finance, supplier workflows, and business-critical operations. That makes exposure across subsidiaries, vendors, managed service providers, payment processors, and other third parties especially important to understand. The key question is no longer if Oracle issued a patch? The real question is which parts of our ecosystem are exposed, targeted, exploitable, and relevant to our business right now?”
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds