A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber.
The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Payments that could be abused to take over susceptible instances.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments,” according to a description of the flaw in the NIST National Vulnerability Database (NVD). “Successful attacks of this vulnerability can result in the takeover of Oracle Payments.”
The shortcoming impacts versions from 12.2.3 through 12.2.15. Patches for the flaw were shipped by Oracle as part of its Critical Security Patch Update last month.
CVE-2026-46817 has since come under active exploitation, with Defused Cyber noting on Monday that “over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots,” adding “this vulnerability has no known previous exploitation and no public PoC [proof-of-concept] code exists.”
That said, there are currently no details available on how the security flaw is being exploited, who is behind them, and if it’s part of a broader opportunistic or targeted campaign aimed at unpatched systems.
Late last year, another critical flaw in the same product (CVE-2025-61882, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
Earlier this month, the company addressed a critical missing authentication zero-day vulnerability in PeopleSoft Suite (CVE-2026-35273, CVSS score: 9.8) that was actively exploited in ShinyHunters data theft and extortion attacks.
Automaker Nissan has since acknowledged that it was among those impacted, stating it was the victim of a break-in that involved the exploitation of the PeopleSoft flaw, potentially exposing payroll records, bank details, Social Security numbers, and other personal and financial data belong to its employees in the U.S., Canada, Mexico, and Brazil.
“What stood out was that CVE-2026-35273 isn’t just another trivial, easy-to-exploit single-request vulnerability,” Jake Knott, principal security researcher at watchTowr, said in a statement. “The attack chain is considerably more involved, combining multiple vulnerabilities to plant a malicious file that doesn’t execute immediately but waits until the server restarts.”
“Where we would normally see simple bugs, this is a chain of multiple vulnerabilities, suggestive of a threat actor with genuine knowledge of and familiarity with the underlying codebase, and the ability to develop targeted capabilities against it.”
Knott also pointed out that threat actors are exploiting vulnerabilities faster than ever before, urging organizations to assume compromise and activate incident response processes to determine whether access was obtained before patches were applied, what was accessed, and whether persistence was established.
