Introduction
An unauthenticated attacker can take over Oracle Payments by sending crafted HTTP requests to the File Transmission component, earning CVE-2026-46817 a CVSS 3.1 base score of 9.8 with High impacts across Confidentiality, Integrity, and Availability. This vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15, covering 13 supported releases and spanning over a decade of deployments, and it arrives less than a year after the Cl0p/FIN11 threat group mass exploited a nearly identical Oracle EBS flaw (CVE-2025-61882) to breach over 100 organizations.
Technical Information
Vulnerability Overview
CVE-2026-46817 is located in the File Transmission component of the Oracle Payments product within Oracle E-Business Suite. The vulnerability was published to the NVD on May 28, 2026, with the source identifier [email protected]. No CWE ID has been assigned as of the publication date, which limits automated vulnerability classification and may indicate a novel or compound weakness type.
The File Transmission component is responsible for transferring payment related files (payment files, bank transmission files, and payment instructions) between Oracle Payments and external systems such as banks and payment processors. This makes it an inherently sensitive interface that is often exposed to network traffic for business partner connectivity.
CVSS 3.1 Vector Breakdown
The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8. Each component carries specific tactical implications:
| Vector Component | Value | Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the internet; no physical or local access needed |
| Attack Complexity (AC) | Low | Minimal technical skill required; no special conditions must exist |
| Privileges Required (PR) | None | No authentication or credentials of any kind are needed |
| User Interaction (UI) | None | No phishing or social engineering required |
| Scope (S) | Unchanged | Impact is confined to the Oracle Payments component |
| Confidentiality (C) | High | Complete information disclosure; payment data fully exposed |
| Integrity (I) | High | Complete data modification; financial records can be altered |
| Availability (A) | High | Complete denial of access to the Oracle Payments service |
The combination of AV:N, AC:L, PR:N, and UI:N places this vulnerability in the most dangerous category: exploitable by any remote, unauthenticated attacker with minimal effort and no reliance on user behavior.
Attack Vector and Exploitation Method
The vulnerability is exploitable via the HTTP protocol. An attacker with network access can send crafted HTTP requests to the Oracle Payments File Transmission component without providing any credentials. Because the attack requires no authentication, no user interaction, and only low complexity exploitation, the barrier to entry is minimal.
Once a proof of concept is developed, it could be weaponized for mass scanning and automated exploitation across exposed Oracle EBS instances. This is consistent with the pattern observed during the CVE-2025-61882 exploitation campaign, where Rapid7 characterized the flaw as an arbitrary file upload vulnerability enabling unauthenticated remote code execution via HTTP.
Companion Vulnerability: CVE-2026-46818
The same File Transmission component has a second vulnerability, CVE-2026-46818, which is exploitable over HTTPS rather than HTTP. CVE-2026-46818 has a CVSS 3.1 score of 7.4 with High Attack Complexity, meaning exploitation is more difficult but remains unauthenticated. Its impacts are High for Confidentiality and Integrity but None for Availability.
This is an important detail for defenders: an organization that blocks HTTP at the perimeter but leaves HTTPS exposed might mitigate CVE-2026-46817 while remaining vulnerable to CVE-2026-46818. Both vulnerabilities must be addressed simultaneously to fully secure the File Transmission component.
Information Gaps
Several technical details remain unavailable as of the NVD publication date. No CWE classification has been assigned, no specific vulnerability type (e.g., SQL injection, arbitrary file upload, path traversal, deserialization) has been publicly disclosed, and no proof of concept code or detailed exploit chain has been published. The absence of a CWE ID prevents automated vulnerability correlation by security tools and frameworks, meaning manual review of the Oracle advisory and patch analysis is required to understand the root cause.
Threat Context and Exploitation Precedent
While no exploitation of CVE-2026-46817 has been confirmed as of its publication date, the vulnerability's profile warrants serious concern based on historical precedent.
CVE-2025-61882, a prior Oracle EBS zero-day with an identical CVSS 9.8 score and the same unauthenticated HTTP attack profile, was actively exploited by the Cl0p/FIN11 threat group. CrowdStrike identified a mass exploitation campaign, and Cl0p listed over 100 targeted organizations on its extortion site. Notable victims included Michelin (over 315GB of data leaked), Madison Square Garden (210GB leaked), and Korean Air. Rapid7 confirmed the attack involved an arbitrary file upload vulnerability enabling unauthenticated remote code execution via HTTP.
Earlier, CVE-2022-21587 (also CVSS 9.8) was exploited in the wild for botnet enrollment. QuorumCyber documented that exploitation involved uploading a Perl script via an arbitrary file upload vulnerability, which then used tools like curl or wget to download additional malicious components. This technique aligns with MITRE ATT&CK technique T1105 (Ingress Tool Transfer) for downloading tools and T1210 (Exploitation of Remote Services) for initial access.
The FIN11/Cl0p operational pattern involves discovering or acquiring zero-day vulnerabilities in enterprise software, mass scanning for exposed unpatched instances, exploiting vulnerabilities to exfiltrate data at scale, listing victim organizations on the Cl0p extortion site, and demanding ransom payments under threat of data publication. Their willingness to invest in Oracle EBS zero-days before disclosure indicates pre-positioned capability and strategic interest in this product family.
As of May 27, 2026, CISA's most recent KEV additions addressed three Cisco vulnerabilities (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133), unrelated to Oracle EBS. Organizations should monitor the KEV Catalog for updates on CVE-2026-46817 exploitation status.
Affected Systems and Versions
The following Oracle E-Business Suite versions are affected:
- Oracle Payments within Oracle E-Business Suite versions 12.2.3 through 12.2.15 (13 supported versions)
This spans virtually the entire supported lifecycle of the 12.2.x release train, indicating the vulnerability has been present in the File Transmission component for an extended period. Any organization running Oracle EBS 12.2.x that has not applied the May 2026 CSPU should assume it is exposed.
Oracle EBS customers range from small businesses (5.9% of the install base with 0 to 100 employees) to mid-sized firms (27.52% with 101 to 1,000 employees) and large enterprises. Many deployments are internet-facing for business partner and bank connectivity, which directly expands the attack surface for this HTTP-based vulnerability.
Vendor Security History
Oracle E-Business Suite has experienced a pattern of critical vulnerabilities with active exploitation in recent years:
| CVE | CVSS | Year | Exploitation Status | Threat Actor |
|---|---|---|---|---|
| CVE-2022-21587 | 9.8 | 2022 | Exploited in the wild | Unattributed (botnet enrollment) |
| CVE-2025-61882 | 9.8 | 2025 | Actively exploited (zero-day) | Cl0p / FIN11 |
| CVE-2025-61884 | Related | 2025 | Patched alongside CVE-2025-61882 | Same campaign |
| CVE-2026-46817 | 9.8 | 2026 | Not yet confirmed | Under investigation |
The recurrence of CVSS 9.8 unauthenticated HTTP exploitation vulnerabilities in Oracle EBS suggests systemic weaknesses in the product's externally facing components, particularly around file handling and transmission interfaces.
Oracle maintains a quarterly Critical Patch Update (CPU) cycle, supplemented by out-of-band Critical Security Patch Updates (CSPUs) for urgent vulnerabilities. The May 2026 CSPU contains 35 new security patches across multiple product families, with 12 patches targeting Oracle E-Business Suite alone. This concentration of patches in a single product family indicates significant vulnerability discovery activity.
Oracle explicitly warns in its advisory that attackers have been successful exploiting previously patched vulnerabilities when customers failed to apply available patches. The tension between Oracle's prompt patching cadence and the product's recurring vulnerability pattern means that customer patching discipline, rather than vendor response time, is the primary risk determinant.
References
- NVD: CVE-2026-46817
- Oracle Security Critical Patch Update Advisory, May 2026
- Oracle Security Alerts
- Oracle Security Alert: CVE-2025-61882
- CrowdStrike: Campaign Targeting Oracle E-Business Suite Zero-Day CVE-2025-61882
- Rapid7: Critical 0day in Oracle E-Business Suite Exploited in the Wild
- Tenable: CVE-2025-61882 FAQ, Oracle EBS Zero-Day, Cl0p, and July 2025 CPU
- SecurityWeek: Michelin Confirms Data Breach Linked to Oracle EBS Attack
- QuorumCyber: Exploitation of Critical Vulnerability in Oracle E-Business Suite
- CISA Known Exploited Vulnerabilities Catalog
- CISA Adds Three Known Exploited Vulnerabilities to Catalog (May 27, 2026)
- VulnCheck: Quantifying 2026 Routinely Targeted Vulnerabilities
- Oligo Security: CVE-2025-61882 Oracle EBS Zero-Day in Cl0p Extortion Campaigns
- Strobes: CVE-2025-61882 Explained



