defense · TheHackerNews
Oracle E-Business Suite versions 12.2.3 through 12.2.15 are affected by CVE-2026-46817, a critical privilege management and authentication flaw in Oracle Payments (CVSS 9.8). According to Defused Cyber, the vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Payments instances and achieve takeover. Patches were released by Oracle in its Critical Security Patch Update last month. Active exploitation was observed over a recent weekend on honeypots, though no public proof-of-concept code exists and the specific exploitation method, attacker identity, and campaign scope remain undisclosed.
Organizations using Oracle E-Business Suite—particularly defense contractors managing controlled unclassified information (CUI) and SaaS platforms subject to SOC2 audits—should prioritize immediate patching of affected versions. CMMC Level 3 compliance and NIST 800-171 requirements mandate rapid vulnerability remediation once exploits appear in the wild. Given the unauthenticated remote nature of this flaw, unpatched instances represent a direct control failure under these frameworks. An Omniware engagement can scope inventory of affected Oracle deployments, assess patch timelines, and verify compensating controls if immediate patching is infeasible.
Source: The Hacker News - https://thehackernews.com/2026/06/oracle-e-business-suite-flaw-cve-2026.html
Source: TheHackerNews
All briefings