Oracle E Business Suite Vulnerability CVE 2026 46817 Comes Under Active Exploitation 

Oracle E Business Suite Vulnerability CVE 2026 46817 Comes Under Active Exploitation 

A critical security vulnerability affecting Oracle E Business Suite is now being actively exploited, according to cybersecurity firm Defused Cyber. The flaw, tracked as CVE 2026 46817 and assigned a CVSS score of 9.8, impacts Oracle Payments and could allow an unauthenticated attacker with network access through HTTP to take control of vulnerable systems. The vulnerability stems from improper privilege management and authentication weaknesses that enable attackers to compromise Oracle Payments without requiring valid credentials. According to the National Vulnerability Database, successful exploitation can result in the complete takeover of affected Oracle Payments instances. The issue impacts Oracle E Business Suite versions 12.2.3 through 12.2.15, and Oracle released security patches for the vulnerability as part of its Critical Patch Update issued last month. Security experts are urging organizations that have not yet applied the updates to prioritize remediation as attacks against unpatched systems have now been observed.

Defused Cyber disclosed that it detected active exploitation of CVE 2026 46817 after monitoring its Oracle E Business honeypot systems over the weekend. Researchers stated that the attacks are particularly significant because there had been no previously documented exploitation of the vulnerability and no publicly available proof of concept code at the time malicious activity was identified. Although active attacks have now been confirmed, there are currently no technical details explaining how the flaw is being exploited, the identity of the threat actors responsible, or whether the campaign is targeting specific organizations or scanning broadly for exposed Oracle environments. The lack of publicly available exploit information suggests the attackers may be using privately developed techniques, making early detection and rapid patch deployment especially important for organizations operating vulnerable Oracle E Business Suite deployments.

The latest activity follows a series of significant security incidents involving Oracle enterprise software over the past year. During late 2025, threat actors associated with the Cl0p ransomware operation exploited another critical Oracle E Business Suite vulnerability, CVE 2025 61882, which also carried a CVSS score of 9.8. Earlier this month, Oracle addressed another critical authentication bypass vulnerability affecting PeopleSoft Suite, tracked as CVE 2026 35273, which was actively exploited in data theft and extortion campaigns linked to ShinyHunters, also known as SHADOW AETHER 015. According to Trend Micro, one of the distinguishing characteristics of the PeopleSoft vulnerability was its limited visibility during exploitation. Researchers explained that the final code execution stage relied on Java’s XMLDecoder running within the application server’s own Java Virtual Machine, allowing malicious code to activate only after a server restart without creating child processes or generating outbound network activity that security monitoring tools would typically detect. This stealthy behavior made identifying compromised systems significantly more difficult during incident response activities.

The PeopleSoft attacks also affected major organizations, with Nissan confirming that it experienced a security breach involving exploitation of CVE 2026 35273. The company stated that the incident may have exposed payroll records, banking information, Social Security numbers, and other personal and financial data belonging to employees across the United States, Canada, Mexico, and Brazil. Security researchers at watchTowr noted that the PeopleSoft attacks involved a complex chain of multiple vulnerabilities rather than a single easily exploitable flaw, indicating that the attackers possessed an advanced understanding of the application’s internal architecture and were capable of developing highly targeted exploitation techniques. Researchers further warned that threat actors are reducing the time between vulnerability disclosure and active exploitation, making rapid patch deployment increasingly important. They also advised organizations to assume that compromise may have occurred before updates were applied and to initiate comprehensive incident response procedures to determine whether unauthorized access was obtained, identify any systems or information that may have been affected, and verify whether attackers established persistent access within enterprise environments.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem. 

Post Comment