Back to News

Oracle EBS CVE-2026-46817 — CVSS 9.8 Actively Exploited 27 June 2026: The 10-Step UK SME Database Security Audit Plan Every Business Using Oracle Must Run This Week

Oracle EBS CVE-2026-46817 — CVSS 9.8 Actively Exploited 27 June 2026: The 10-Step UK SME Database Security Audit Plan Every Business Using Oracle Must Run This Week

On 27–28 June 2026 — a weekend that most UK IT teams were not watching — automated attack infrastructure began scanning for and exploiting CVE-2026-46817, a critical authentication bypass in Oracle’s E-Business Suite Payments module. The flaw, rated CVSS 9.8, requires no credentials, no user interaction, and nothing more than HTTP access to a vulnerable EBS instance. Once reached, it allows a remote attacker to take full control of Oracle Payments: read, modify and exfiltrate every supplier payment record, customer invoice, payroll run and financial journal in the system.

Oracle shipped patches in its May 2026 Critical Security Patch Update. Any UK organisation running Oracle E-Business Suite versions 12.2.3 through 12.2.15 without the May CPU is now operating an ERP system with a known-exploited, fully-weaponised critical flaw. This article breaks down exactly what happened, who is at risk, and the 10-step database security audit plan every UK SME must run before the exploit wave reaches smaller organisations.

9.8
CVSS score — maximum severity for CVE-2026-46817
27 Jun
Date active exploitation confirmed on honeypots by Defused Cyber
3
Oracle CVEs rated 9.8 actively exploited in 2026 — all in ERP modules
14 days
Cyber Essentials v3.3 patching window for critical fixes — already expired

What Oracle CVE-2026-46817 actually is — and why it matters beyond Oracle customers

Oracle E-Business Suite is the ERP platform used by a significant portion of UK manufacturing, professional services, finance and public-sector organisations with revenues above roughly £10 million. Its Oracle Payments module handles the most sensitive financial data in an organisation: supplier bank details, customer billing information, payroll inputs, and the authorisation chain for every outbound payment. CVE-2026-46817 is a flaw in this module’s File Transmission component — the part of the system that manages secure file exchange for payment processing.

The flaw involves improper privilege management and authentication. An unauthenticated attacker with network access via HTTP can exploit it to achieve a takeover of Oracle Payments — NIST’s description, verbatim. The attack requires no user action, no stolen credentials, and no prior foothold inside the network. Low-complexity attacks via HTTP: if your Oracle EBS server is reachable from the internet — even partially, even through a reverse proxy — you are exposed. This is the same class of flaw that drove the two prior Oracle ERP explosions in 2026: CVE-2026-35273 in PeopleSoft (ShinyHunters, June 2026) and CVE-2025-61882 in Oracle EBS (Cl0p, August 2025).

The reason this matters even to UK businesses that do not run Oracle is the supply chain. Oracle EBS customers include UK utilities, NHS trusts, local councils, large manufacturers, professional services firms, and financial institutions — the same organisations that are your customers, suppliers, and regulators. A compromised Oracle Payments system can push fraudulent payment instructions, alter bank details, access employee payroll records and issue dummy invoices before anyone notices. That financial fraud risk travels through supplier relationships.

The May 2026 patch was available — organisations simply have not applied it

Unlike the PeopleSoft zero-day (CVE-2026-35273), which was exploited before Oracle’s June 10 advisory, CVE-2026-46817 was patched 6–7 weeks before exploitation began. Oracle included the fix in its Critical Security Patch Update released in May 2026. Defused Cyber’s honeypot observations on 27–28 June 2026 confirmed that no public proof-of-concept existed — attackers reverse-engineered the fix independently, as threat actors routinely do. This means every organisation that applied the May 2026 CPU on time is already protected. Every organisation that did not is now exposed to a flaw that has working exploit code in threat actor hands.

How the Oracle ERP exploitation wave built up in 2026

CVE-2026-46817 is not an isolated event. It is the third critical Oracle ERP exploitation in 13 months, and the pattern tells a clear story about how professional threat groups now approach enterprise software. The timeline below shows how Oracle ERP has gone from a niche concern to the year’s most targeted enterprise application surface.

August 2025 — Cl0p targets Oracle E-Business Suite (CVE-2025-61882)
The Cl0p ransomware operation weaponises a critical authentication flaw in Oracle E-Business Suite (CVSS 9.8), with attacks beginning as early as August 2025. The vulnerability affected the same product line, demonstrating that Oracle EBS has become a priority target. This breach campaign exposed financial, payroll and HR data at dozens of organisations before patches were widely applied.
May 2026 — Oracle ships May 2026 Critical Security Patch Update
Oracle releases its quarterly CPU including the fix for CVE-2026-46817, affecting Oracle Payments in EBS versions 12.2.3 through 12.2.15. With the Cl0p EBS campaign and ShinyHunters PeopleSoft campaign both in the news, any patch team monitoring Oracle advisories had clear reason to prioritise this update. The 14-day Cyber Essentials v3.3 window for critical patches expired in mid-May 2026.
10 June 2026 — Oracle PeopleSoft zero-day CVE-2026-35273 disclosed
Oracle releases an out-of-band advisory for CVE-2026-35273, a CVSS 9.8 missing-authentication zero-day in PeopleSoft PeopleTools. Google confirms ShinyHunters (SHADOW-AETHER-015) had been exploiting this flaw before the advisory, breaching 100+ organisations in higher education. CISA adds it to the KEV catalog. Nissan later confirms it was among those compromised, with payroll, bank details and personal data exposed.
10 June 2026 — CISA Binding Operational Directive 26-04 issued
The US Cybersecurity and Infrastructure Security Agency issues BOD 26-04, establishing a risk-tiered patching framework: three calendar days for actively exploited, internet-accessible, automatable vulnerabilities. CISA explicitly encourages all private-sector partners to adopt the same model.
27–28 June 2026 — CVE-2026-46817 active exploitation confirmed
Defused Cyber announces it observed active exploitation of CVE-2026-46817 on Oracle EBS honeypots over the weekend. No public proof-of-concept existed — attackers developed their own exploit by reverse-engineering Oracle’s May 2026 patch. The exploits use simple HTTP requests, no authentication, consistent with automated opportunistic scanning.
30 June 2026 — Major cybersecurity publications report active exploitation
The Hacker News, Secarma and Bleeping Computer confirm active exploitation. Secarma issues a UK-specific advisory. This is the third CVSS 9.8 Oracle ERP flaw exploited in just over a year.
1 July 2026 — Today
Four days after confirmed exploitation began, the attack window is fully open. Automated scanning tools are searching for unpatched Oracle EBS instances globally. Any UK organisation still running EBS 12.2.3–12.2.15 without the May 2026 CPU is now operating a known-exploited system.

The Oracle Payments attack surface — why financial modules are the prize

Not every component of an ERP system is equally valuable to an attacker. Oracle Payments, the affected module, is arguably the highest-value target in an Oracle EBS installation. Understanding these is essential to communicating the urgency to non-technical stakeholders.

Supplier payment instructions (bank details, routing)
Highest value
Customer billing & invoice data
Very high value
Payroll bank account details
Very high value
Payment authorisation chain & approval limits
High value
Financial journal entries & audit trail
Significant value
IBAN/sort code/account number databases
High value
Integration tokens to bank payment networks
Very high value

An attacker who achieves takeover of Oracle Payments can: modify supplier bank details to redirect outbound payments to attacker-controlled accounts; access payroll bank details to enable identity theft and employee fraud; exfiltrate customer IBAN/sort codes for secondary attacks; read the payment authorisation threshold to understand what limits they need to bypass; and alter the audit trail to conceal the activity. All of this is financially motivated and directly monetisable without any ransomware deployment — making it a “quiet” attack that may not be detected until a supplier reports a missed payment or a bank reports an anomalous transfer.

How many UK organisations are affected?

Oracle does not publish its UK customer list, and EBS penetration into the UK SME market is genuinely difficult to estimate from public sources. The following donut reflects a best-estimate of the unpatched-to-patched ratio for Oracle EBS UK installations based on industry patch-rate benchmarks for quarterly CPU updates and the typical 6-to-12-week lag between CPU release and universal deployment across the installed base.

30%
Estimated share of Oracle EBS installations still unpatched 6 weeks after Oracle’s May 2026 CPU — the window of active exploitation

Industry benchmarks suggest that 4–6 weeks after a quarterly Oracle CPU, approximately 25–35% of the installed base has not yet applied the update. This is not negligence — EBS patches require controlled change-management windows, application-compatibility testing, and for complex multi-module installations, vendor support coordination. But it means a substantial number of UK EBS installations are currently in the exploit window, with a live CVSS 9.8 flaw on their Oracle Payments system and attackers actively scanning for them.

The Oracle ERP exposure grid — where UK SMEs score themselves

Not every Oracle EBS installation has the same risk profile. The score card below reflects the eight factors that determine whether an organisation is at genuine immediate risk from CVE-2026-46817.

CVE-2026-46817 exposure assessment — Oracle EBS UK installations
Oracle EBS Oracle Payments module internet-accessible (even via reverse proxy)High
May 2026 Oracle CPU not applied to all EBS nodesHigh
No WAF or application-layer filtering in front of EBSHigh
EBS Payments module used for live supplier and payroll processingHigh
No anomalous HTTP access monitoring on EBS application tierMid
Oracle EBS not network-segmented from general business systemsMid
No Oracle EBS access log review in last 30 daysMid
Cyber Essentials v3.3 14-day patching SLA not documented for ERP systemsLow

Any organisation scoring High on the first two rows is at immediate risk of exploitation right now. The combination of an internet-accessible Oracle Payments module and an unpatched May 2026 CPU is a direct path to system takeover with no other conditions required.

The full Oracle ERP 2026 vulnerability bill — cost by exposure band

The cost of a successful Oracle Payments compromise is highly variable but anchored to specific, measurable categories. The table below shows indicative recovery cost bands for UK organisations of different sizes based on the typical attack scenario: attacker accesses Oracle Payments, modifies supplier bank details, and makes a series of outbound payment diversions before the fraud is detected.

Organisation sizeTypical Oracle Payments transaction volumeEstimated fraud exposure windowIndicative direct loss if undetected for 5 days
SME (10–50 staff)£100k–£500k / month in supplier payments3–7 days until supplier reports non-receipt£15,000–£80,000
Mid-market (50–250 staff)£500k–£5m / month3–10 days until internal finance reconciliation£80,000–£800,000
Large (250–1,000 staff)£5m–£50m / month1–5 days (more controls, faster detection)£250,000–£2.5m
Enterprise (1,000+ staff)£50m+ / monthLess than 2 days (treasury controls, SWIFT monitoring)Variable but with automated detection controls

These figures do not include incident response costs (typically £15,000–£150,000 for a mid-market ERP breach), regulatory notification costs, reputational damage to supplier relationships, or the forensic audit required to confirm the full scope of access. For a UK SME without a cyber insurance policy that covers ERP system compromise, a single successful exploitation of CVE-2026-46817 can be existential.

Reactive versus proactive Oracle EBS security

Reactive posture

What most UK SMEs running Oracle EBS do today

  • Apply Oracle CPUs weeks or months after release, pending internal change control
  • No live patch-status inventory for EBS nodes
  • Oracle Payments partially reachable from internet via legacy integrations
  • EBS access logs not reviewed between patches
  • No WAF rules specific to Oracle EBS URL patterns
  • Discover compromise only after a supplier reports a missed payment
  • Cyber Essentials v3.3 14-day patching window not tracked for ERP systems
  • Oracle EBS managed by a third-party support provider with no security SLA

Proactive posture

Where Cloudswitched takes your database and ERP security

  • Oracle CPU patching scheduled within 14 days of release on a documented SLA
  • Live inventory of EBS nodes and their patch status maintained
  • Oracle Payments application tier fully isolated from internet ingress
  • EBS access log review integrated into regular IT admin cycle
  • WAF rules blocking Oracle-specific exploit patterns at the edge
  • Anomaly detection on Oracle Payments transaction patterns
  • Cyber Essentials v3.3 patching SLA documented and evidenced for ERP systems
  • Database security posture reviewed quarterly as part of IT admin programme

The 10-step database security audit plan every UK SME must run this week

This action plan applies whether or not you run Oracle EBS. Steps 1–5 are Oracle-specific; steps 6–10 are universal database-security controls that apply to any UK SME running business-critical database systems including PostgreSQL, MySQL, SQL Server, Oracle Database, and cloud database services.

Step 1 — Confirm Oracle EBS patch status against the May 2026 CPU
Day 0 — Immediate
Step 2 — Audit Oracle EBS network exposure (which nodes are internet-reachable?)
Day 0–1
Step 3 — Review Oracle Payments access logs for anomalous HTTP activity since 27 June
Day 1
Step 4 — Apply the May 2026 CPU to all unpatched EBS nodes (emergency change if needed)
Day 1–3
Step 5 — Segment Oracle Payments from internet-facing zones using firewall or WAF rules
Day 2–5
Step 6 — Audit all other business-critical databases for equivalent exposure (PostgreSQL, MySQL, SQL Server)
Day 3–7
Step 7 — Verify database-level authentication (disable anonymous access, enforce MFA on admin roles)
Day 5–10
Step 8 — Enable database activity monitoring and set up anomaly alerts on financial tables
Day 7–14
Step 9 — Test backup restoration for Oracle EBS (specifically financial data isolation and recovery)
Day 10–21
Step 10 — Establish a quarterly Oracle CPU patching schedule aligned to the CE v3.3 14-day SLA
Ongoing
20%
Estimated share of UK SMEs with a documented Oracle EBS patching schedule aligned to CE v3.3 14-day SLA — leaving 80% exposed to the next CVE wave
Practical tip: block CVE-2026-46817 at the network layer even before patching

If you cannot apply the May 2026 CPU immediately due to change control or testing requirements, the fastest compensating control is network segmentation: block inbound HTTP access to your Oracle EBS server(s) from any untrusted source. Oracle Payments’ File Transmission component communicates over standard HTTP/HTTPS — a WAF rule blocking unauthenticated requests to the affected URL patterns (specifically /OA_HTML/IrcpInboundFile and related paths) will remove the immediately exploitable surface while you prepare the patch. This is a temporary measure, not a fix — apply the CPU as soon as the testing window allows.

What the Oracle ERP exploitation pattern tells UK businesses about database risk in 2026

Three critical Oracle ERP flaws in 13 months is not bad luck. It is evidence of a sustained, systematic effort by threat actors to exploit enterprise database and ERP systems as the most direct path to financial fraud and high-value data. The pattern has two components: discovery via automated vulnerability research (threat actors now use AI-assisted static analysis to find auth-bypass flaws in complex enterprise applications) and weaponisation via patch-diff reverse engineering (once Oracle ships a patch, groups with Oracle expertise analyse the diff to reconstruct the exploit, typically within 2–6 weeks).

The implication for UK businesses is that quarterly Oracle CPU application is no longer a best practice — it is a minimum-viable security posture. With three CVSS 9.8 Oracle ERP flaws in 13 months, the question is not whether another critical flaw will appear in Oracle Payments, PeopleSoft, E-Business Suite, or Oracle Database; it is when. The Cyber Essentials v3.3 14-day patching window and the CISA BOD 26-04 3-day framework for actively exploited vulnerabilities both reflect the same underlying reality: the exploitation clock starts the moment a patch is released, and it runs faster than most organisations’ change-management processes.

At-a-glance reference: CVE-2026-46817 and related Oracle ERP CVEs

CVEProductCVSSPatch availableActive exploitationThreat actor
CVE-2025-61882Oracle E-Business Suite9.8Oracle CPU Q3 2025August 2025Cl0p ransomware
CVE-2026-35273Oracle PeopleSoft PeopleTools9.810 June 2026 (out-of-band)Before June 10 (zero-day)ShinyHunters (SHADOW-AETHER-015)
CVE-2026-46817Oracle E-Business Suite (Payments)9.8Oracle CPU May 202627–28 June 2026Unknown (automated scanning)

All three flaws share the same properties: CVSS 9.8, unauthenticated, HTTP access, full-takeover impact. The pattern confirms that Oracle ERP’s authentication and privilege model in payment and HR modules is receiving sustained scrutiny from threat actors, and that quarterly patching is the single most effective defence.

Related articles from the Cloudswitched news series

This Oracle EBS exploitation sits within a broader pattern of ERP and enterprise software targeting in 2026. Our earlier briefings connect directly: the Cisco Unified CM VoIP exploit (CVE-2026-20230) showed the same pattern of a critical flaw exploited within weeks of patching; the June 2026 Patch Tuesday (206 CVEs) demonstrates how the volume of patch-management work creates the conditions for a 30% unpatched lag; the £2bn JLR cyberattack resilience plan illustrates the board-level cost of an ERP-level breach; and the Veeam 3-2-1-1-0 backup guide covers the immutable backup requirement that provides the safety net if Oracle EBS is compromised before the patch can be applied.

Is your Oracle EBS installation patched? Do you know for certain?

CVE-2026-46817 is exploited via automated HTTP scanning — once your instance is found, the attack takes seconds. Cloudswitched Database Reporting and IT Admin services include quarterly ERP patch-status audits, database access monitoring and the 14-day CE v3.3 patching SLA for critical fixes. If you are not certain your Oracle estate is patched, we can confirm it for you today.

Talk to us about Database Security

Frequently asked questions

What exactly is CVE-2026-46817 and which Oracle products are affected?
CVE-2026-46817 is an improper privilege management and authentication vulnerability in the File Transmission component of Oracle Payments, which is part of Oracle E-Business Suite. The flaw carries a CVSS score of 9.8 and allows an unauthenticated attacker with HTTP network access to achieve a full takeover of the Oracle Payments system. The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15. Oracle PeopleSoft and Oracle Database are separate products and are not directly affected by this specific CVE, though the broader Oracle ERP attack surface includes PeopleSoft (CVE-2026-35273, also CVSS 9.8, also actively exploited in June 2026).
When was the patch available and when did exploitation begin?
Oracle included the fix for CVE-2026-46817 in its Critical Security Patch Update released in May 2026, approximately 6–7 weeks before active exploitation was confirmed. Defused Cyber observed the first exploitation attempts on its Oracle EBS honeypots over the weekend of 27–28 June 2026. There was no public proof-of-concept code at that point — attackers developed their own exploit by reverse-engineering Oracle’s patch. The Cyber Essentials v3.3 14-day window for critical patches expired in mid-May 2026, meaning organisations that applied the patch on schedule are already protected; those that did not are now exposed to active exploitation.
We run Oracle E-Business Suite but it is hosted by a third-party provider. Are we still at risk?
Potentially yes. Responsibility for Oracle CPU patching depends entirely on the service agreement with your provider. Many Oracle EBS managed-service contracts give the customer responsibility for application-layer patching, while the provider manages infrastructure. If you are not certain whether your provider applied the May 2026 CPU to your Oracle Payments module, you should confirm this in writing today. Ask specifically: “Has CVE-2026-46817 been remediated on our Oracle E-Business Suite installation, and can you provide the patch confirmation report?” If they cannot confirm it, treat the installation as unpatched until you receive written evidence.
Our Oracle EBS is on-premises and not directly internet-facing. Are we safe?
Safer, but not necessarily safe. The critical question is whether Oracle Payments is reachable via HTTP from any network that an attacker could reach — which includes your corporate VPN (if a VPN device is compromised), any integration endpoint that routes external traffic to EBS (such as supplier portals, EDI gateways, or bank payment file transfer services), or lateral movement from any other compromised internal system. A fully air-gapped EBS installation with no external integration points is effectively protected against this specific CVE. But if your EBS has any external integration — and almost every production EBS installation does — you should confirm the May 2026 CPU is applied.
We do not run Oracle EBS. Should we still take action?
Two reasons to act regardless. First, supply chain: if your customers, suppliers or regulators run Oracle EBS and are compromised, the attack can propagate through financial fraud (fake payment instructions from a compromised supplier’s Oracle Payments system), credential harvesting (EBS stores integration credentials that may be reused), or EDI/SFTP gateway compromise. Second, the pattern: this is the third CVSS 9.8 Oracle ERP flaw exploited in 13 months. If you run any database-driven financial, HR or ERP system — including QuickBooks, Xero with SQL integrations, Sage, or bespoke line-of-business applications — the same patch-discipline lessons apply. The 10-step database audit plan in this article is platform-agnostic and applies to any UK SME with a business-critical database estate.
What is the CISA BOD 26-04 and does it apply to UK businesses?
CISA Binding Operational Directive 26-04, issued on 10 June 2026, requires US federal civilian agencies to remediate actively exploited vulnerabilities within three calendar days when the flaw is internet-facing and the exploit is automatable. It does not directly apply to UK businesses. However, CISA explicitly encouraged all private-sector organisations globally to adopt the same risk-tiered patching model, and UK NCSC guidance aligns closely with CISA’s framing. For UK businesses, the most directly binding equivalent is Cyber Essentials v3.3, which mandates 14 days for critical patches on certified or certifying organisations. Both frameworks point to the same conclusion: waiting for a quarterly change-management window to apply a CVSS 9.8 actively-exploited patch is not an acceptable security posture in 2026.
How does this compare to the ShinyHunters Oracle PeopleSoft breach?
Both CVE-2026-46817 (Oracle EBS Payments) and CVE-2026-35273 (Oracle PeopleSoft) are CVSS 9.8, unauthenticated, HTTP-accessible takeover flaws. The key difference is timing: CVE-2026-35273 was a zero-day exploited before the advisory, meaning organisations had no warning. CVE-2026-46817 was patched in May 2026, six weeks before exploitation began, meaning organisations that applied the May CPU on time are already protected. The PeopleSoft campaign targeted primarily universities in the US; CVE-2026-46817 exploitation currently appears opportunistic and automated, targeting any unpatched EBS instance regardless of sector. The most significant difference is that Oracle Payments is a financial transaction system, making the direct fraud potential higher than the HR/payroll data targeted via PeopleSoft.
Is this covered by our cyber insurance?
It depends on your policy and when you applied the May 2026 CPU. Most UK cyber insurance policies include a “known vulnerability” exclusion: if a critical patch was available and the insurer can show you had not applied it within a reasonable window (increasingly defined as 14–30 days by underwriters aligning to CE v3.3), a claim arising from exploitation of that flaw may be partially or fully excluded. This is exactly the scenario for CVE-2026-46817 — patch available 6 weeks ago, exploitation now confirmed. The safest course is to apply the patch immediately and document the date of application.
What should we do if we think we may already have been compromised?
If you suspect exploitation has occurred, your immediate priorities are: contain (take the Oracle EBS server offline or restrict HTTP access at the network level); preserve (take a forensic snapshot of the server before applying any changes or patches, as this is required for incident response and insurance claims); review (examine Oracle Payments access logs and the File Transmission component logs for the period 27 June 2026 onwards, looking for unauthenticated HTTP requests to unusual paths); and notify (your cyber insurer’s 24-hour hotline, your managed security provider or incident response partner, and — if personal data was accessed — begin the ICO 72-hour clock). Do not patch first and investigate later if you suspect compromise: applying the patch may overwrite forensic evidence.

Oracle EBS patching and database security — handled systematically, not by crisis

CVE-2026-46817 is the third CVSS 9.8 Oracle ERP flaw exploited in 13 months. The pattern will continue. Cloudswitched Database Reporting and IT Admin services give your organisation a documented patching schedule, quarterly database security audits, and the CE v3.3 14-day SLA evidence trail — so that each new Oracle CPU is absorbed as scheduled maintenance, not managed as a weekend emergency.

Talk to us about Database Security & Reporting
Tags:Database ReportingCyber SecurityIT SupportNetwork Admin
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Database Reporting & Analytics

Custom dashboards, automated reports and powerful data search tools

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

24
  • IT Office Moves

Cloud Migration vs Physical Server Move: Which to Choose

24 Oct, 2025

Read more
20
  • AI

Azure OpenAI for Business

20 Mar, 2026

Read more
17
  • Cyber Security

BYOD and Cyber Essentials Plus: Managing Personal Devices

17 Jun, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.