CISA orders feds to patch actively exploited Oracle flaw by Saturday

Oracle

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems by Saturday against ongoing attacks exploiting a critical vulnerability in the Oracle E-Business Suite (EBS) financial application.

Discovered in the File Transmission component of EBS's Oracle Payments product and tracked as CVE-2026-46817, this security flaw allows unauthenticated threat actors with HTTP network access to take over vulnerable systems in low-complexity attacks.

Oracle released security updates to address the security issue with its May 2026 Critical Security Patch Update, urging customers to patch their systems immediately.

"In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches," the company warned at the time. "Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay."

While Oracle has not yet flagged CVE-2026-46817 as exploited in the wild, threat intelligence company Defused said on June 29 that malicious actors had begun exploiting it in the wild.

"CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists," Defused noted.

​Internet security watchdog Shadowserver now tracks over 1,000 Internet-exposed Oracle EBS instances, more than half of them in the United States. However, there is no information on how many of them are honeypots or have already been secured against ongoing CVE-2026-46817 attacks.

Oracle EBS instances exposed online
Oracle EBS instances exposed online (Shadowserver)

On Wednesday, CISA also confirmed that hackers are actively exploiting the vulnerability, adding it to its list of known exploited security flaws, and ordering U.S. government agencies to patch vulnerable Oracle EBS instances by Saturday, July 18, as mandated by Binding Operational Directive (BOD) 26-04.

"Oracle E-Business Suite contains an improper privilege management vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments," CISA said.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

In October, the cybersecurity agency also ordered government agencies to patch an unauthenticated server-side request forgery (SSRF) vulnerability (CVE-2025-61884) in Oracle E-Business Suite, after flagging it as actively exploited in the wild.

More recently, in June, it ordered them to secure their systems against a high-severity Oracle WebLogic Server flaw (CVE-2024-21182) that was patched two years ago and is now actively exploited in attacks.

Over the last several years, CISA has flagged 43 security issues across various Oracle products that have been exploited in the wild, 12 of them also abused by ransomware gangs.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper
source: BleepingComputer