2 min read

CISA gives feds until Saturday to patch Oracle EBS flaw

CISA says a critical Oracle E-Business Suite bug is under active attack and federal agencies must patch by July 18.

Image: BleepingComputer

The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to secure vulnerable Oracle E-Business Suite systems by Saturday, July 18, after confirming active exploitation of a critical flaw in the platform’s financial software.

The bug, tracked as CVE-2026-46817, affects the File Transmission component of EBS’s Oracle Payments product. According to CISA, the vulnerability allows unauthenticated attackers with HTTP network access to take over vulnerable systems in low-complexity attacks. Oracle shipped fixes in its May 2026 Critical Security Patch Update and urged customers to apply them immediately.

Oracle had warned when it released the patch that some attacks succeeded because customers had not installed available updates.

Recommended reading

TfL hackers get 5.5 years over Scattered Spider attack

“In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.” “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay.”

Oracle

While Oracle itself had not marked CVE-2026-46817 as exploited in the wild, threat intelligence firm Defused said on June 29 that it observed attackers exploiting the flaw against its Oracle E-Business honeypots.

“CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists.”

Defused

Shadowserver is now tracking more than 1,000 internet-exposed Oracle EBS instances, with more than half located in the United States. It is unclear how many are honeypots or have already been patched.

!Oracle EBS instances exposed online.jpg)

On Wednesday, CISA added the flaw to its Known Exploited Vulnerabilities catalog and directed agencies to patch under Binding Operational Directive 26-04.

“Oracle E-Business Suite contains an improper privilege management vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments.” “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

CISA

This is the latest Oracle issue to trigger a federal patch order. In October, CISA told agencies to fix an unauthenticated SSRF flaw in Oracle E-Business Suite, CVE-2025-61884, after it was found under active attack. In June, it issued a similar order for Oracle WebLogic Server flaw CVE-2024-21182, a high-severity bug patched two years ago that is now being exploited.

Over the past several years, CISA has flagged 43 Oracle product vulnerabilities as exploited in the wild, including 12 that were also used by ransomware gangs.

Test every layer before attackers do
Test every layer before attackers do
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading