Introduction
Oracle's inaugural monthly Critical Security Patch Update, released May 28, 2026, contains 12 security fixes for Oracle E-Business Suite, and the most severe among them allows a low privileged user to completely take over the Oracle iAssets module and potentially cascade into adjacent EBS components. CVE-2026-46822 carries a CVSS 3.1 base score of 9.9, with the critical Scope: Changed designation signaling that the blast radius extends well beyond the iAssets product itself into the broader EBS ecosystem that enterprises rely on for financial operations, asset management, and payroll.
Oracle iAssets is a module within Oracle E-Business Suite that provides asset tracking and management functionality, handling internal asset processing workflows for organizations running EBS. Given that Oracle EBS is deployed across large enterprises, government agencies, and financial institutions globally, and that the affected version range (12.2.3 through 12.2.15) covers virtually the entire active install base, the exposure surface here is substantial.
What makes this vulnerability particularly noteworthy is the context surrounding it. Just months ago, the Cl0p ransomware group mass exploited a different Oracle EBS vulnerability (CVE-2025-61882) in coordinated extortion campaigns. Oracle's decision to shift from quarterly to monthly patch cycles, starting with this very advisory, is itself an acknowledgment that the threat landscape around EBS has fundamentally changed.
Technical Information
CVSS Vector Breakdown
The full CVSS 3.1 vector for CVE-2026-46822 is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:
| CVSS Metric | Value | Interpretation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network |
| Attack Complexity (AC) | Low (L) | No specialized conditions required |
| Privileges Required (PR) | Low (L) | Only basic application level credentials needed |
| User Interaction (UI) | None (N) | No victim action required for exploitation |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component |
| Confidentiality (C) | High (H) | Total information disclosure |
| Integrity (I) | High (H) | Total modification of data possible |
| Availability (A) | High (H) | Complete denial of service possible |
The Scope: Changed attribute is the distinguishing factor that pushes this from a 9.8 to a 9.9. It indicates that successful exploitation of Oracle iAssets can compromise the security scope of other EBS products and modules, not just iAssets itself. In practical terms, this means financial data, asset records, payroll information, and other enterprise modules that integrate with iAssets could all be affected through a single exploitation chain.
Vulnerable Component and Attack Surface
The vulnerability resides in the Internal Operations component of Oracle iAssets. This component handles internal asset processing workflows within the iAssets module. The attack is delivered via standard HTTP requests to the Oracle E-Business Suite application tier, meaning any network path to the EBS web interface is a viable attack vector.
An attacker needs only a low privilege application user account, not an administrator, to deliver the exploit. This is a meaningful distinction: in large EBS deployments, there can be hundreds or thousands of user accounts with basic iAssets access. Any one of these accounts, whether compromised through credential stuffing, phishing, or held by a malicious insider, is sufficient to trigger the vulnerability.
Oracle's advisory states that "successful attacks of this vulnerability can result in takeover of Oracle iAssets," indicating complete system compromise of the iAssets module with full confidentiality, integrity, and availability impact.
What We Do Not Know
Several important technical details remain undisclosed as of May 29, 2026:
- The specific vulnerability type (SQL injection, SSRF, deserialization, or other) has not been publicly identified
- No CWE ID has been assigned, which limits automated vulnerability classification and mapping to known weakness patterns
- No proof of concept exploit code has been published
- The exact mechanism by which the Internal Operations component is exploited is not documented in public sources
The absence of a CWE classification is worth noting for vulnerability management teams. Without a formal weakness categorization, automated tools cannot map CVE-2026-46822 to known attack patterns, and security controls may not trigger appropriate compensating measures.
Parallels to CVE-2025-61882
While the specific technical mechanism differs, the prior exploitation of CVE-2025-61882 provides instructive context about how Oracle EBS vulnerabilities are weaponized. That vulnerability in Oracle EBS Concurrent Processing (BI Publisher Integration) was exploited via server side request forgery (SSRF), where specially crafted HTTP requests forced vulnerable systems to download and execute attacker controlled code, granting full control of the EBS host. Cl0p employed a "living off the land" approach, using native system utilities and simple shell commands that appeared as routine Java process operations, making detection difficult.
Although CVE-2026-46822 targets a different component, the same HTTP based attack surface and EBS architecture make analogous exploitation patterns plausible. The fact that Oracle source code was leaked publicly during the CVE-2025-61882 incident may also provide threat actors with deeper understanding of EBS internals to facilitate discovery and exploitation of similar vulnerabilities.
Affected Systems and Versions
The vulnerability affects the following:
- Product: Oracle iAssets
- Component: Internal Operations
- Platform: Oracle E-Business Suite
- Affected Versions: 12.2.3 through 12.2.15
This version range covers virtually the entire deployed base of Oracle EBS 12.2 customers. Oracle E-Business Suite 12.2 remains under extended Premier Support, meaning all versions in this range are expected to receive security patches.
Other EBS Vulnerabilities in the May 2026 CSPU
CVE-2026-46822 is the highest scored of 12 Oracle EBS vulnerabilities addressed in the May 2026 CSPU. The full list includes:
| CVE ID | Product | Component |
|---|---|---|
| CVE-2026-46822 | Oracle iAssets | Internal Operations |
| CVE-2026-46824 | Oracle Universal Work Queue | Not specified |
| CVE-2026-46817 | Oracle Payments | Not specified |
| CVE-2026-46819 | Oracle Internet Procurement Connector | Not specified |
| CVE-2026-46837 | Oracle Flow Manufacturing | Not specified |
| CVE-2026-46827 | Oracle Payroll | Not specified |
| CVE-2026-46826 | Oracle Payroll | Not specified |
| CVE-2026-46820 | Oracle Financials Common Modules | Not specified |
| CVE-2026-46828 | Oracle Payroll | Not specified |
| CVE-2026-46821 | Oracle Financials Common Modules | Not specified |
| CVE-2026-46823 | Oracle Public Sector Financials (International) | Not specified |
| CVE-2026-46818 | Oracle Payments | Not specified |
Three of these 12 vulnerabilities are remotely exploitable without authentication. CVE-2026-46822 at 9.9 should be the highest priority within this batch.
Vendor Security History
Oracle E-Business Suite has accumulated a concerning pattern of critical security events over the past year:
| Timeframe | CVE | CVSS | Details |
|---|---|---|---|
| October 2025 | CVE-2025-61882 | 9.8 | Zero day exploited by Cl0p ransomware group; emergency out of band patch required |
| October 2025 | CVE-2025-61884 | Not specified | CISA confirmed active exploitation in the wild |
| April 2026 | CVE-2026-34275 | 10.0 | Critical Patch Update for Oracle EBS |
| May 2026 | CVE-2026-46822 | 9.9 | Addressed in first monthly CSPU cycle |
The CVE-2025-61882 incident is the most relevant precedent. Oracle issued an emergency out of band Security Alert for a vulnerability in the Concurrent Processing component affecting EBS versions 12.2.3 through 12.2.14. The Cl0p ransomware group exploited this flaw in mass data theft and extortion campaigns. Bitsight observed growing chatter in cybercriminal forums regarding the vulnerability, indicating broad criminal interest in Oracle EBS as a target class. Oracle also separately confirmed a data breach that occurred via outdated, unpatched servers.
The transition from quarterly CPUs to monthly CSPUs, beginning with the advisory that addresses CVE-2026-46822, is Oracle's structural response to this pattern. However, this new cadence creates its own challenge: organizations accustomed to quarterly patch testing cycles must now adapt to monthly windows, and patch fatigue could lead to delayed application during the critical early window when exploitation likelihood is highest.
Threat Intelligence Context
As of May 29, 2026, no confirmed evidence of active exploitation of CVE-2026-46822 has been found, and the vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog. However, the extremely short elapsed time since disclosure (approximately 24 hours) means this assessment carries high uncertainty.
Several factors elevate the likelihood of future exploitation:
- Proven target class: The Cl0p campaign against CVE-2025-61882 demonstrated that ERP data is valuable for extortion, and cybercriminal forums showed broad interest in Oracle EBS vulnerabilities
- High visibility: A 9.9 CVSS score makes this vulnerability highly visible in automated scanning and threat intelligence feeds
- Low exploitation barrier: Network access, low complexity, low privileges, no user interaction
- Leaked source code: Public disclosure of Oracle source code from the CVE-2025-61882 incident may provide threat actors with deeper understanding of EBS architecture
- Shrinking exploitation windows: VulnCheck's 2026 exploitation analysis reports that 28.96% of KEVs identified in 2025 were exploited on or before the day their CVE was published
Cl0p's operational pattern during the CVE-2025-61882 campaign included living off the land techniques (using native system utilities rather than custom malware), data theft and extortion rather than encryption based ransomware, and mass exploitation campaigns targeting multiple organizations simultaneously. This group has a well established history of targeting enterprise application zero days, including MOVEit Transfer, GoAnywhere MFT, and SolarWinds Serv-U.
The contrast between CVE-2026-46822 (low privilege, authenticated) and CVE-2025-61882 (unauthenticated) is worth noting. While the authentication requirement raises the bar slightly, it does not meaningfully reduce risk in environments where EBS user accounts are numerous, shared, or protected by weak credential policies. Cl0p has demonstrated capability in obtaining initial access through credential harvesting, phishing, or purchasing stolen credentials, which would bridge the privilege gap.
Mitigation Guidance
Oracle has released a patch for CVE-2026-46822 as part of the May 2026 Critical Security Patch Update. Patch availability and installation instructions are provided through the advisory's "Patch Availability Document" column, accessible through My Oracle Support (document ID CPU155).
For organizations unable to immediately apply the patch, Oracle suggests two interim workarounds:
- Block network protocols required by the attack: Restrict or filter HTTP access to the Oracle iAssets component to reduce the attack surface
- Remove unnecessary privileges from users: Reduce the number of user accounts with any level of iAssets access to limit potential attack vectors
Oracle explicitly warns that neither workaround corrects the underlying problem and both may break application functionality. These should be considered temporary measures only.
Additional defense in depth recommendations based on lessons learned from the CVE-2025-61882 response:
- Ensure Oracle EBS instances are not unnecessarily exposed to the internet; access should be limited via VPNs and network segmentation
- Implement enhanced security monitoring for suspicious HTTP traffic targeting EBS application modules
- Review access controls and minimize the number of accounts with any iAssets access privileges
- Assess the exposure of third party vendors running Oracle EBS to prevent supply chain compromise
- Prepare incident response teams for Oracle targeted attacks, given the precedent of active exploitation
References
- NVD: CVE-2026-46822
- Oracle Security Critical Patch Update Advisory, May 2026
- Oracle Security Alerts Portal
- Oracle E-Business Suite Applications
- Oracle iAssets User Guide Release 12.2 (PDF)
- Oracle Security Alert: CVE-2025-61882
- Oligo Security: CVE-2025-61882 Oracle EBS Zero Day Exploited in Cl0p Extortion Campaigns
- Bitsight: Critical Vulnerability Alert CVE-2025-61882 in Oracle E-Business Suite
- SecurityWeek: Oracle E-Business Suite Zero Day Exploited in Cl0p Attacks
- SecurityWeek: CISA Confirms Exploitation of Latest Oracle EBS Vulnerability
- Quorum Cyber: Exploitation of Critical Vulnerability in Oracle E-Business Suite
- HIPAA Journal: Cl0p Mass Exploiting Zero Day Vulnerability in Oracle E-Business Suite
- CISA Known Exploited Vulnerabilities Catalog
- VulnCheck: State of Exploitation 2026
- Oracle EBS Tech Blog: Upgrade Reminder and Monthly CSPU Announcement



