defense · BleepingComputer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a critical vulnerability in Oracle E-Business Suite (EBS) by Saturday, July 18. Tracked as CVE-2026-46817, the flaw in the File Transmission component of Oracle Payments allows unauthenticated attackers with HTTP network access to compromise the system. Oracle released patches in May 2026, and threat intelligence firm Defused reported active exploitation beginning June 29. CISA confirmed ongoing attacks on Wednesday and added the vulnerability to its known exploited vulnerabilities list under Binding Operational Directive 26-04. Shadowserver reports over 1,000 Internet-exposed Oracle EBS instances, with more than half located in the United States.
Defense contractors and federal agencies relying on Oracle EBS for financial operations or supply-chain functions should treat this mandate as a baseline for their own vulnerability management timelines. Organizations subject to NIST 800-171 requirements (including those handling CUI) must demonstrate rapid patching of actively exploited critical flaws; delayed remediation can trigger compliance findings. Beyond government, any SaaS or healthcare provider running Oracle EBS should assess their exposure and patch status immediately, as the five-day window reflects the severity CISA assigns to in-the-wild exploitation. An Omniware engagement can scope inventory of Oracle instances, patch readiness, and broader vulnerability-management workflow gaps.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-oracle-flaw-by-saturday/
Source: BleepingComputer
All briefings