• 2 min read
CISA gives feds until Saturday to patch Oracle EBS flaw
CISA says federal agencies must patch Oracle E-Business Suite by July 18 after active exploitation of CVE-2026-46817 was confirmed.

Image: BleepingComputer
The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to lock down vulnerable Oracle E-Business Suite systems by Saturday, July 18, after confirming active exploitation of a critical flaw in the platform’s financial software.
The bug, tracked as CVE-2026-46817, affects the File Transmission component in Oracle Payments for Oracle EBS. According to CISA, it lets an unauthenticated attacker with HTTP network access compromise Oracle Payments in a low-complexity attack, potentially leading to a full takeover of affected systems.
Oracle shipped fixes in its May 2026 Critical Security Patch Update and urged customers to apply them immediately.
“In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.” “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay.”
Oracle has not publicly marked CVE-2026-46817 as exploited in the wild, but Defused said on June 29 that it observed attackers using the flaw against its Oracle E-Business honeypots.

Recommended reading
Spirals ransomware hit a network in under 24 hours
“CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists.”
Shadowserver is currently tracking more than 1,000 internet-exposed Oracle EBS instances, with more than half located in the United States. It is unclear how many are honeypots or have already been patched.
On Wednesday, CISA added the bug to its Known Exploited Vulnerabilities catalog and told agencies to remediate it under Binding Operational Directive 26-04.
“Oracle E-Business Suite contains an improper privilege management vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments.” “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
The order follows other recent Oracle-related emergency patch directives. In October, CISA told agencies to fix the actively exploited Oracle E-Business Suite SSRF flaw CVE-2025-61884. In June, it also ordered them to patch Oracle WebLogic Server flaw CVE-2024-21182, a high-severity issue fixed two years earlier that is now being actively exploited.
Over the last several years, CISA has identified 43 exploited vulnerabilities across Oracle products, including 12 that were also used by ransomware gangs.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


