Vulnerability Management, Patch/Configuration Management

Critical Oracle EBS bug added to CISA list of exploited vulnerabilities

(Credit: Rafael Henrique – stock.adobe.com)

The Cybersecurity and Infrastructure Security Agency (CISA) added a critical Oracle E-Business Suite (EBS) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies three days to patch under its latest binding operational directive.

The flaw, tracked as CVE-2026-46817, has a CVSS score of 9.8 and could allow an unauthenticated attacker to remotely compromise and take over the Oracle Payments component of Oracle EBS. A successful attack requires network access to Oracle EBS over HTTP.

The vulnerability was first disclosed and patched in May 2026, with Oracle EBS versions 12.2.3-12.2.15 being affected. Oracle’s May 2026 security alert indicated that the flaw specifically affects a file transmission component of Oracle Payments, requires no user interaction or privileges to exploit and could have a high impact on confidentiality, integrity and availability.

Exploitation of CVE-2026-46817 was first reported by threat intelligence firm Defused on June 27, 2026, with six unauthenticated file-read attempts made by a single source. Defused noted that the attempts represented a “targeted proof-of-concept, not broad scanning,” while no public proof-of-concept yet existed for the flaw. Defused’s report also indicates that the attack attempts originated from an IP address located in Europe.

Federal civilian executive branch (FCEB) agents are ordered to patch CVE-2026-46817 by Saturday, July 18. CISA’s latest binding operational directive (BOD) shortens remediation deadlines for certain severe vulnerabilities to three days, while also requiring a forensic triage of affected assets in some cases, including in this case.

CVE-2026-46817 is noted to be susceptible to automated exploitation with a potential technical impact of total control, contributing to the BOD requirements. Vulnerable Oracle products have been heavily targeted in the past, with a critical Oracle EBS flaw patched in October 2025, tracked as CVE-2025-61882, subjected to attacks by the Clop ransomware gang. Clop’s campaign against Oracle EBS is believed to have impacted more than 100 organizations since last fall, including Madison Square Garden, Michelin, The Washington Post and Harvard University.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds