Based on menace intelligence agency Defused, attackers have begun exploiting a crucial vulnerability (tracked as CVE-2026-46817) within the Oracle E-Enterprise Suite (EBS) monetary utility.
This safety flaw was found within the file submission part of EBS’s Oracle Funds product and will enable an unauthenticated, malicious attacker with entry to the HTTP community to take over susceptible methods by way of a low-complexity assault.
Oracle launched a safety replace to deal with this vulnerability within the Could 2026 Important Safety Patch Replace and urged clients to patch their methods instantly.
“Oracle continues to usually obtain studies of makes an attempt to take advantage of vulnerabilities for which we have now already launched safety patches,” the corporate warned on the time.
“In some circumstances, assaults have been reported to have been profitable as a result of focused clients didn’t apply obtainable Oracle patches. Oracle subsequently strongly recommends that clients proceed to make use of actively supported variations and apply safety patches immediately.”
Whereas Oracle has not but reported that the CVE-2026-46817 flaw is being exploited within the wild, Defused mentioned Monday that attackers are at the moment actively exploiting the flaw, with the primary try found over the weekend.
“CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Enterprise) is being exploited. Over the weekend, we noticed an attacker exploiting this vulnerability in our Oracle E-Enterprise honeypot. This vulnerability just isn’t recognized to have been beforehand exploited and no public POC code exists,” it warned.

Web safety monitoring group Shadowserver at the moment tracks greater than 450 Oracle EBS cases uncovered on-line, almost 200 of that are situated in america and Europe.
Nonetheless, there is no such thing as a info on what number of have already been protected against these ongoing assaults.

The Clop extortion group has exploited one other Oracle EBS safety flaw (CVE-2025-61882) in zero-day assaults focusing on a number of U.S. universities (together with Harvard College, College of Pennsylvania, Dartmouth Faculty, and College of Phoenix), the Washington Submit, Logitech, and GlobalLogic since early August 2025.
Earlier this month, the US Cybersecurity and Infrastructure Safety Company (CISA) additionally reported {that a} high-severity flaw (CVE-2024-21182) in Oracle WebLogic Server, which was patched two years in the past, is being actively exploited in assaults.
A couple of weeks later, the corporate mitigated a crucial zero-day vulnerability (CVE-2026-35273) in PeopleSoft Suite. This vulnerability was actively exploited within the ShinyHunter knowledge theft assault to permit unauthenticated distant code execution.
Over the previous few years, CISA has tagged 44 vulnerabilities in numerous Oracle merchandise as being exploited within the wild, 13 of which had been additionally utilized in ransomware assaults.
Safety groups doc 54% of profitable assaults and concern a warning on solely 14%. The remainder strikes invisibly by means of the atmosphere.
Picus’ whitepaper reveals how one can check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
