Oracle E-Business Suite Oracle Payments CVE-2026-46817 actively exploited vulnerability: actively exploited vulnerability added to CISA KEV

Confirmed
Discovered Jul 15, 2026

CISA added CVE-2026-46817 affecting Oracle E-Business Suite / Oracle Payments File Transmission to the Known Exploited Vulnerabilities catalog on 2026-07-15. This post scopes exposure, affected/fixed evidence, and IR handling without treating advisory sites as IOCs.

2
Affected Packages
3
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
oracle-e-business-suite-oracle-payments, fixed:
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
Oracle
CVE-2026-46817
Oracle E-Business Suite / Oracle Payments File Transmission

Analysis

Executive Summary

CISA added CVE-2026-46817 for Oracle E-Business Suite / Oracle Payments File Transmission to the Known Exploited Vulnerabilities catalog on 2026-07-15, which is the active-exploitation gate for this Halting Problems entry [1]. CISA describes an unauthenticated attacker with network access via HTTP can compromise Oracle Payments; successful exploitation can result in takeover of Oracle Payments [1]. NVD records the affected product metadata and severity summarized below [3].

This entry is evidence-conservative. The reviewed sources provide active-exploitation status, product identity, affected-version or mitigation evidence, and vulnerability metadata, but they do not publish attacker-controlled infrastructure, file hashes, victim counts, or a campaign name. Source and advisory URLs are therefore kept as source selectors rather than IOC values.

Key Facts

CVE: CVE-2026-46817

Vendor: Oracle

Product / Component: Oracle E-Business Suite / Oracle Payments File Transmission (File Transmission)

KEV Added: 2026-07-15

KEV Due Date: 2026-07-18

Affected / Fixed or Mitigation Selectors:

  • oracle-e-business-suite-oracle-payments >= 12.2.3 <= 12.2.15
  • fixed: Oracle May 2026 Critical Patch Update for Oracle Payments File Transmission / E-Business Suite

CVSS: 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Evidence Assessment

Analysis table
ClaimStatusEvidence
CISA lists CVE-2026-46817 as exploited in the wild for Oracle E-Business Suite / Oracle Payments File Transmission.confirmedCISA KEV records date added 2026-07-15 and an active-exploitation-driven required action [1].
Direct or enrichment sources describe product identity and affected scope.confirmedVendor/government and NVD references identify Oracle E-Business Suite / Oracle Payments File Transmission and the affected scope summarized above [2][3].
Public sources identify attacker infrastructure, hashes, or campaign attribution.not_observedCISA KEV, NVD, and linked references reviewed during this run do not publish those IOC classes.

Impact Determination

Treat exposed or business-critical Oracle E-Business Suite / Oracle Payments File Transmission deployments as high-priority until version, configuration, and mitigation evidence are captured. Because CISA added this item to KEV, defenders should prioritize exploitation triage rather than only patch compliance. Preserve logs and configuration state before remediation so exploitation success, persistence, and credential/session exposure can be assessed.

Detection and Hunting

The reviewed hunt manifest ships with scripts/scope_oracle-ebusiness-suite-cve-2026-46817-kev.py. It scans asset inventories and exported logs for CVE-2026-46817, Oracle, Oracle E-Business Suite / Oracle Payments File Transmission, affected/fixed selectors, source selectors, and product-specific telemetry phrases from the reviewed sources. Use it against CMDB exports, scanner exports, EDR file/log bundles, web/access logs, gateway logs, application logs, and incident evidence collected in a forensics-safe workspace.

Positive findings are scope signals, not proof of compromise. Escalate to product-specific IR by preserving UTC timelines, snapshots or hashes of relevant configs and logs, evidence owner, collection time, and chain-of-custody notes.

Remediation and Recovery Gates

  1. Inventory internet-facing Oracle E-Business Suite nodes and confirm whether Oracle Payments File Transmission is deployed.
  2. Apply the Oracle May 2026 Critical Patch Update or vendor mitigation for the affected E-Business Suite environment, then preserve before/after patch evidence.
  3. Review HTTP access logs, application logs, concurrent request logs, and Oracle Payments/File Transmission audit trails for unauthenticated access anomalies around the exposure window.
  4. If compromise is suspected, preserve web-tier and application-tier logs, database audit trails, wallet/config snapshots, and credential-use timelines before remediation.
  5. Decide whether Oracle Payments application credentials, database users, integration accounts, wallet material, and session material require rotation based on exploit-success evidence.

Indicators of Compromise

No attacker-controlled domains, URLs, hashes, or IP addresses were published by the sources reviewed for this entry. Machine-readable IOC fields are intentionally empty for those classes.

Open Questions

  • Which exploitation clusters are using CVE-2026-46817 in the wild?
  • Did vendor or researcher sources publish additional product-specific exploit telemetry after this automated refresh?
  • Are there environment-specific fixed build identifiers beyond the affected/fixed selectors recorded here?

Timeline

6 of 6 rows

Timeline
DateEventDescriptionSource
Jul 15, 2026DiscoveryDiscovery recorded for Oracle E-Business Suite Oracle Payments CVE-2026-46817 actively exploited vulnerability.oracle.com
Jul 18, 2026kev due datekev due date recorded for Oracle E-Business Suite Oracle Payments CVE-2026-46817 actively exploited vulnerability.oracle.com
Jul 15, 2026DisclosureDisclosure recorded for Oracle E-Business Suite Oracle Payments CVE-2026-46817 actively exploited vulnerability.oracle.com
Jul 15, 2026First seenFirst seen recorded for Oracle E-Business Suite Oracle Payments CVE-2026-46817 actively exploited vulnerability.oracle.com
Jul 15, 2026Patch or fixPatch or fix recorded for Oracle E-Business Suite Oracle Payments CVE-2026-46817 actively exploited vulnerability.oracle.com
Jul 15, 2026Oracle E-Business Suite Oracle Payments CVE-2026-46817 actively exploited vulnerability: actively exploited vulnerability added to CISA KEVUnknownoracle.com

Affected Software

2 of 2 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
oracle-e-business-suite-oracle-paymentsenterprise-software>= 12.2.3 <= 12.2.15Malicious90%oracle.com; cisa.gov; nvd.nist.gov
fixed:enterprise-softwareOracle May 2026 Critical Patch Update for Oracle Payments File Transmission / E-Business SuiteMalicious90%oracle.com; cisa.gov; nvd.nist.gov

IOC Clipboard

3 IOCs
commandOracle
commandCVE-2026-46817
commandOracle E-Business Suite / Oracle Payments File Transmission

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Oracle E-Business Suite CVE-2026-46817 asset and telemetry scopePythonDo inventories/logs contain CVE-2026-46817, Oracle, Oracle E-Business Suite / Oracle Payments File Transmission, affected-version, mitigation, or telemetry selectors?scripts/scope_oracle-ebusiness-suite-cve-2026-46817-kev.py opens in a new taboracle.com

Hunt Manifest: Oracle E-Business Suite CVE-2026-46817 asset and telemetry scope

Title
Oracle E-Business Suite CVE-2026-46817 asset and telemetry scope
Question
Do inventories/logs contain CVE-2026-46817, Oracle, Oracle E-Business Suite / Oracle Payments File Transmission, affected-version, mitigation, or telemetry selectors?
Telemetry Family
Python
Repository
scripts/scope_oracle-ebusiness-suite-cve-2026-46817-kev.py
Show tested hunting scriptscripts/scope_oracle-ebusiness-suite-cve-2026-46817-kev.py
scripts/scope_oracle-ebusiness-suite-cve-2026-46817-kev.py opens in a new tabPython
#!/usr/bin/env python3
"""Scope Oracle E-Business Suite CVE-2026-46817 exposure from local inventories and exported logs."""
from __future__ import annotations
import json, os, sys
from pathlib import Path
CVE_IDS=['CVE-2026-46817']
VENDOR='Oracle'
PRODUCT='Oracle E-Business Suite / Oracle Payments File Transmission'
AFFECTED_VERSION_SELECTORS=['oracle-e-business-suite-oracle-payments >= 12.2.3 <= 12.2.15']
FIXED_OR_MITIGATION_SELECTORS=['fixed: Oracle May 2026 Critical Patch Update for Oracle Payments File Transmission / E-Business Suite']
SOURCE_SELECTORS=['https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json', 'https://www.oracle.com/security-alerts/cspumay2026.html', 'https://nvd.nist.gov/vuln/detail/CVE-2026-46817', 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-46817']
DOMAINS=[]; HASHES=[]; URLS=[]; FILES=[]; NETWORK_PATTERNS=[]
PROCESS_PATTERNS=['Oracle E-Business Suite / Oracle Payments File Transmission', 'Oracle', 'CVE-2026-46817']
PRODUCT_TELEMETRY_PATTERNS=['Oracle Payments', 'Oracle E-Business Suite', 'File Transmission', '12.2.3', '12.2.15', 'May 2026 Critical Patch Update', 'CVE-2026-46817', 'HTTP', 'Oracle Payments takeover']
INDICATORS=list(dict.fromkeys(CVE_IDS+[VENDOR,PRODUCT]+AFFECTED_VERSION_SELECTORS+FIXED_OR_MITIGATION_SELECTORS+SOURCE_SELECTORS+PRODUCT_TELEMETRY_PATTERNS))
OUT=os.environ.get('OUT','hp-oracle-ebusiness-suite-cve-2026-46817-kev-scope')
TEXT_SUFFIXES={'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.conf','.ini','.md'}
EXCLUDED_DIR_NAMES={'.git','node_modules','vendor','dist','__pycache__','.venv'}
def read_text(path: Path)->str:
    try: return path.read_text(encoding='utf-8', errors='ignore')
    except Exception: return ''
def iter_files(root: Path):
    if root.is_file(): yield root; return
    for p in root.rglob('*'):
        if p.is_file() and not any(part in EXCLUDED_DIR_NAMES for part in p.parts):
            if not p.suffix or p.suffix.lower() in TEXT_SUFFIXES: yield p
def scan(root: Path):
    matches=[]; lowered=[s.lower() for s in INDICATORS if s]
    for path in iter_files(root):
        low=read_text(path).lower(); hits=sorted({INDICATORS[i] for i,s in enumerate(lowered) if s in low})
        if hits: matches.append({'path':str(path),'hits':hits})
    return matches
def main(argv=None):
    argv=argv or sys.argv[1:]; root=Path(argv[0]) if argv else Path('.')
    matches=scan(root); out_dir=Path(OUT); out_dir.mkdir(parents=True, exist_ok=True)
    report={'cves':CVE_IDS,'vendor':VENDOR,'product':PRODUCT,'affected_version_selectors':AFFECTED_VERSION_SELECTORS,'fixed_or_mitigation_selectors':FIXED_OR_MITIGATION_SELECTORS,'match_count':len(matches),'matches':matches}
    (out_dir/'scope_report.json').write_text(json.dumps(report,indent=2),encoding='utf-8')
    print(json.dumps({'cves':CVE_IDS,'match_count':len(matches),'report':str(out_dir/'scope_report.json')},indent=2))
    return 2 if matches else 0
if __name__=='__main__': raise SystemExit(main())

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
oracle.comSecurity Researcher95%1CISA added CVE-2026-46817 affecting Oracle E-Business Suite / Oracle Payments File Transmission to the Known Exploited Vulnerabilities catalog on 2026-07-15. This post scopes exposure, affected/fixed evidence, and IR handling without treating advisory sites as IOCs.
cisa.govSecurity Researcher95%2CISA added CVE-2026-46817 affecting Oracle E-Business Suite / Oracle Payments File Transmission to the Known Exploited Vulnerabilities catalog on 2026-07-15. This post scopes exposure, affected/fixed evidence, and IR handling without treating advisory sites as IOCs.
nvd.nist.govSecurity Researcher95%1CISA added CVE-2026-46817 affecting Oracle E-Business Suite / Oracle Payments File Transmission to the Known Exploited Vulnerabilities catalog on 2026-07-15. This post scopes exposure, affected/fixed evidence, and IR handling without treating advisory sites as IOCs.