CISA Marks Critical Vulnerability in Oracle E-Business Suite as Actively Exploited and Sets Deadline for Federal Agencies

With a CVSS of 9.8 and mass active exploitation, CVE-2026-46817 in Oracle EBS has entered CISA's KEV catalog, giving federal agencies a 21-day deadline to apply the patch.
What Was Added to the KEV
The Cybersecurity and Infrastructure Security Agency included CVE-2026-46817, a critical vulnerability in Oracle E-Business Suite, in the Known Exploited Vulnerabilities catalog on July 15. The bug, rated with a CVSS of 9.8, is located in the File Transmission component of the Oracle Payments product within EBS. An unauthenticated attacker with just HTTP access to the instance can execute code with elevated privileges without user interaction. Affected versions range from 12.2.3 to 12.2.15, covering most production deployments.
Oracle released a fix for the vulnerability in the May 2026 Critical Security Patch Update. According to research from BleepingComputer, over 900 instances of Oracle EBS are currently exposed to the open internet, with a portion still running unpatched versions. The first attempts at active exploitation were recorded the weekend prior to the KEV inclusion, with actors conducting mass scanning for vulnerable instances and escalating for persistence.
The Real Problem: Patching is Slow in EBS
Oracle EBS is not software that receives updates on a Saturday afternoon. Real instances run deep customizations in payroll, treasury, accounts payable, and integration with Hyperion, custom R12, Fusion Middleware, and connectors for banks and regulatory agencies. Each CPU application requires regression testing that crosses multiple functional areas and often encounters breakage in custom code. From industry experience and research from the Ponemon Institute published in previous years, the average time between CPU release and production adoption in Fortune 500 companies is between 3 and 6 months.
This gap is what attackers exploit. Between the publication of the CPU in May and the inclusion in KEV on July 15, defenders had about two months, and a significant portion did not finish the work. U.S. federal agencies now have 21 days, starting from July 15, to apply the patch or shut down the exposed instance, according to CISA's BOD 22-01 directive. This deadline does not apply to the private sector or operations outside of the United States, but serves as a reference for an acceptable minimum time frame.
Where Exposure is Heavy Outside the United States
Oracle EBS is the financial backbone for a significant share of large companies across three distinct geographies. In the United States, the historical base covers retail, energy, defense, and the federal government itself, with several agencies still operating EBS 12.2. In the United Kingdom, public authorities and services linked to the NHS operate on EBS. In Asia, India is the largest EBS market outside the U.S., covering large conglomerates such as Tata and Reliance.
Brazil is listed due to banks, mining companies, and utilities. Several of the country's largest financial and industrial institutions run financial or supply chain modules on EBS 12.2, and some of these exposures are indexed in public tools like Shodan and Censys. None of these institutions had reported by the time of this article whether they had applied the May CPU, which is routine operational practice that usually does not make headlines, but gained weight in this specific window due to the remote, unauthenticated vector with a CVSS of 9.8. The responsible path for a Brazilian CISO this morning is to confirm with the Oracle operations team the exact version of each instance, check perimeter exposure, and if any instance appears on Shodan with a version prior to the corrected 12.2.15, treat it as an active incident until proven otherwise.
The Recurring Pattern
None of this is new in form. Driven by structural slowness in financial ERP patching, attackers wait for the window between CPU and adoption, scan, exploit, and monetize. This was the script for vulnerabilities in SAP NetWeaver in 2020, Oracle WebLogic in 2021, and BIG-IP F5 in 2023. The new component in 2026 is the compressed exploitation time. Between publication and the first automated scans, the interval has dropped from weeks to days, likely for the same reason that defensive teams have gained speed with AI: patch diff analysis, proof of concept generation, and packaging into offensive tools have also become faster.
For the CISO, the arithmetic is simple. The post-CPU calm window is shrinking, and an organization that only plans application for the next quarterly cycle is systematically behind the adversary. This is not just a discussion about CVSS scores. It’s about cadence.