Oracle E-Business Suite under attack via critical flaw before exploit code emerged

Attackers have been caught exploiting a critical vulnerability in Oracle E-Business Suite just six weeks after Oracle released a patch — and before any public proof-of-concept exploit code was available.

The flaw, tracked as CVE-2026-46817 and carrying a CVSS score of 9.8 (critical), resides in the Oracle Payments File Transmission component of Oracle E-Business Suite. It allows unauthenticated attackers to read arbitrary files from vulnerable servers. Affected versions include releases 12.2.3 through 12.2.15.

According to security firm Defused, the exploitation did not resemble indiscriminate internet scanning. Its honeypots recorded just six exploitation attempts from a single source, all using what appeared to be a working exploit. The requests sought to retrieve sensitive files from the target system, suggesting the operator was testing or validating the technique.

The fact that exploitation began before any public exploit code had surfaced points to an attacker who had either reverse-engineered Oracle’s patch or obtained a private exploit. This is an increasingly common pattern: critical security updates can serve as roadmaps for attackers willing to analyze the fix and build an exploit before customers have deployed it.

Oracle addressed the vulnerability in its May 2026 Critical Patch Update (CPU). The Shadowserver Foundation estimates that approximately 950 Oracle E-Business Suite instances remain exposed to the public internet, the majority in the United States.

The incident follows a similar pattern earlier in June, when a PeopleSoft zero-day was exploited before widespread patching, with the ShinyHunters group claiming more than 100 organizations compromised.

Sources: Oracle E-Business Suite was under attack via critical flaw before public exploit code was even released (The Register, July 2, 2026)

Scroll to Top