ATTACKERS have been observed actively exploiting a critical flaw in Oracle E-Business Suite that grants unauthenticated access to the Payments module, according to recent threat intelligence. The vulnerability tracked as CVE-2026-46817 affects releases from 12.2.3 through 12.2.15 and carries a CVSS rating of 9.8.
The flaw resides in the Oracle Payments component where insufficient authentication checks allow remote attackers to submit arbitrary requests without credentials. Successful exploitation can lead to data disclosure, manipulation of payment transactions or further lateral movement within the affected ERP environment.
Oracle issued a security update for the flaw in its June 2026 Critical Patch Update, yet the vulnerability had no public proof‑of‑concept code before the attacks began. Threat intelligence links the activity to the financially motivated group ShinyHunters, which has been seen scanning for exposed Oracle Payments endpoints.
U.S. CISA has added the issue to its known exploited vulnerabilities catalogue and is monitoring related flaws in Oracle suites. Separately a critical bug in Oracle PeopleSoft (CVE-2026-35273) has also been flagged, though it is not currently linked to the E-Business Suite attacks.
Network defenders should prioritize applying the Oracle patch to all instances running the affected versions. Where immediate patching is not feasible, administrators are advised to restrict access to the Payments web interfaces to trusted IP ranges and to enable multi‑factor authentication for any remote admin consoles. Reviewing web server logs for unexpected POST or GET requests to the Payments servlet can help identify ongoing exploitation attempts.
Updating intrusion detection signatures to flag the specific payloads associated with CVE-2026-46817 will improve detection coverage. Organisations should also validate that default credentials have been changed and that unnecessary services on the application server are disabled.