Oracle Flaw Forces Urgent Federal Patch
CISA mandates federal agencies secure Oracle E-Business Suite systems by Saturday to mitigate active exploitation risks.
A critical security vulnerability within the Oracle E-Business Suite (EBS) has escalated into a mandatory remediation priority for U.S. federal agencies. With the discovery of active exploitation in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a strict deadline for securing affected systems to prevent unauthorized control of enterprise financial applications.
Critical Flaw in Payments Component
The vulnerability, cataloged as CVE-2026-46817, resides within the File Transmission component of Oracle Payments. It presents a severe risk because it allows an unauthenticated threat actor with standard HTTP network access to seize control of vulnerable servers through low-complexity attack vectors.
Oracle initially addressed the flaw as part of its May 2026 Critical Security Patch Update. Despite the availability of these patches, the persistence of the vulnerability in unpatched environments has provided a window of opportunity for malicious actors to conduct unauthorized activities.
CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists.
— Defused, threat intelligence company
Mandate for Federal Infrastructure
CISA has formally added this vulnerability to its list of known exploited security flaws. Following this classification, the agency invoked Binding Operational Directive (BOD) 26-04, which requires all federal departments to patch their Oracle EBS instances no later than Saturday, July 18.
Government officials have underscored the gravity of the situation, noting that such flaws are frequently leveraged as primary attack vectors. The agency confirmed the compromise risk, stating that successful exploitation leads directly to the takeover of the Oracle Payments module.
- CVE-2026-46817 carries a CVSS score of 9.8.
- Over 1,000 Internet-exposed Oracle EBS instances are currently tracked by Shadowserver.
- CISA has flagged 43 security issues across Oracle products that have been exploited in the wild to date.
Persistent Risks in Enterprise Software
The urgency of the current mandate reflects a broader pattern of ongoing attacks against legacy and enterprise-grade software. CISA has previously intervened regarding other vulnerabilities in the Oracle ecosystem, including CVE-2025-61884 and the long-standing CVE-2024-21182. For private sector organizations, these directives serve as a warning that relying on outdated security postures leaves critical infrastructure vulnerable to sophisticated exploitation, even when patches have been publicly available for months.
Continue Reading
Critical Remote Code Execution Flaw Discovered in SetParameter Command
A critical vulnerability identified as CVE-2023-49900 allows unauthenticated remote attackers to execute arbitrary code due to improper input sanitization.
CISA Adds KNX Protocol Connection Authorization Flaw to KEV Catalog
A critical account lockout vulnerability in the KNX Protocol Connection Authorization Option 1 is currently being exploited in the wild.
CISA Adds Actively Exploited Oracle E-Business Suite Flaw to KEV
An improper privilege management vulnerability in Oracle E-Business Suite is currently being exploited in the wild, risking full takeover of Oracle Payments.