More than 900 internet-facing Oracle E-Business Suite (EBS) systems have been identified as being exposed while cybercriminals actively target a newly discovered security flaw. Security researchers say attackers have already started exploiting the vulnerability against vulnerable servers. The issue affects Oracle Payments, an important part of Oracle E-Business Suite used by many organizations worldwide.

The vulnerability is tracked as CVE-2026-46817 and has received a critical CVSS severity score of 9.8. It exists in the File Transmission component of Oracle Payments and allows attackers to compromise affected systems remotely. The attack requires no authentication and only HTTP network access, making it easier for attackers to exploit unpatched servers.
Oracle released a security update for this flaw as part of its May 2026 Critical Patch Update and strongly advised customers to install it immediately. At the time of the patch release, Oracle had not confirmed any active exploitation. However, cybersecurity experts are now warning that attackers have already begun using the flaw against real targets.

Threat intelligence company Defused reported that it detected exploitation attempts over the weekend using Oracle E-Business Suite honeypots. According to the researchers, this is the first known real-world exploitation of the vulnerability. They also noted that no public proof-of-concept exploit is available, suggesting the attackers developed or obtained their own working exploit.
Internet security organization Shadowserver has also been monitoring the situation and found around 950 Oracle E-Business Suite instances exposed online. It is still unknown how many of these systems have already been updated with Oracle’s security patch. Any internet-facing server that remains unpatched could be at serious risk of compromise.

Security experts believe organizations using Oracle E-Business Suite for financial operations, procurement, payroll, and other business services should treat this issue as a high priority. Since the flaw can be exploited remotely without user interaction, exposed systems may be taken over if they are not properly secured. Restricting internet access and applying the latest patches are considered essential defensive measures.
The latest attacks continue a growing trend of cybercriminals targeting Oracle enterprise software. In recent months, Oracle products including WebLogic Server and PeopleSoft have also faced active exploitation campaigns. Some of these attacks have been linked to well-known threat groups, leading to data theft and security incidents affecting multiple organizations.

Cybersecurity agencies and researchers recommend that all Oracle E-Business Suite administrators verify their patch status immediately, especially for versions 12.2.3 through 12.2.15. They should also review system logs for suspicious activity and limit public exposure wherever possible. Acting quickly can significantly reduce the risk of attackers taking control of vulnerable Oracle environments.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news