Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused.

This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.

Oracle released security updates to address the vulnerability with its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately.

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches," the company warned at the time.

"In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay."

While Oracle has yet to flag the CVE-2026-46817 flaw as exploited in the wild, Defused said on Monday that attackers are now actively exploiting it, with the first attempts spotted over the weekend.

"CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists," it warned.

​Internet security watchdog group Shadowserver now tracks over 450 Oracle EBS instances exposed online, with nearly 200 in the United States and in Europe.

However, there is no information on how many of them have already been secured against these ongoing attacks.

The Clop extortion gang exploited another Oracle EBS security flaw (CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including Harvard University, the University of Pennsylvania, Dartmouth College, and the University of Phoenix), the Washington Post, Logitech, and GlobalLogic since early August 2025.

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also flagged a high-severity Oracle WebLogic Server flaw (CVE-2024-21182) that was patched two years ago as actively exploited in attacks.

Weeks later, the company mitigated a critical PeopleSoft Suite zero-day vulnerability (CVE-2026-35273), which was actively exploited in ShinyHunter data theft attacks and allows unauthenticated remote code execution.

Over the last several years, CISA has tagged 44 vulnerabilities across various Oracle products as exploited in the wild, 13 of which were also abused in ransomware attacks.