CISA KEV: Oracle EBS Payments 9.8 unauth RCE lands
CISA added CVE-2026-46817 to KEV on Wednesday: unauthenticated CVSS 9.8 takeover of Oracle E-Business Suite Payments. Oracle's May 2026 CPU already has the fix.
CISA added CVE-2026-46817 to the Known Exploited Vulnerabilities catalog on 2026-07-15 — an unauthenticated network attacker gets complete takeover of the Oracle Payments component of Oracle E-Business Suite. CVSS 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Oracle shipped the fix seven weeks ago in the May 2026 Critical Patch Update. If EBS Payments is anywhere in your stack, this is the top of the queue for the rest of the week.
What actually changed
CISA’s KEV entry classifies the bug as improper privilege management. NVD’s canonical CVE-2026-46817 record pins it to the File Transmission component of Oracle Payments, EBS versions 12.2.3 through 12.2.15 — the full 12.2 line since it went GA. Oracle’s May CPU note is the authoritative reference for the patch level; NVD confirms the score and vector, KEV addition today is the operational signal.
Two things worth registering carefully:
- Unauthenticated over HTTP. No credential, no user interaction, no privilege prerequisite. Any Internet-exposed EBS Payments endpoint is directly reachable; any internally-exposed endpoint is reachable by anyone already inside the network perimeter.
- The patch has been out since May. This is a KEV addition against a CPU-patched bug, not a fresh disclosure. CISA doesn’t add old CVEs to KEV on a whim — the addition today means observed exploitation, whether or not CISA has said so explicitly on the entry. That is the signal.
Bug class: improper privilege management on a File Transmission code path — the mechanism that moves payment files in and out of the Payments module. The exploit chain sits behind the CPU; I’m not going to walk through it here, and the point of the disclosure was always the patch, not the mechanics. What matters is that the module handling payment-instrument data and processor credentials can be taken over from the network with no login.
What to actually do
The honest timeline for this one is: patched by end of week, not “next maintenance window.” Federal civilian agencies are on the BOD 26-04 clock as of today. Everyone else should treat KEV listing the same way — active exploitation is generally the reason a CVE gets there, and once mass scanning starts on a KEV entry it doesn’t slow down.
- Confirm the running EBS version, don’t trust the inventory tool. Oracle E-Business Suite runs on the 12.2 line at most large deployments; the affected range is 12.2.3–12.2.15, which covers roughly the entire supported 12.2 install base. Verify against the cspumay2026 advisory directly, not via a patch-management-tool report — EBS patch tracking is famously fragile because the ERP application patch layer is separate from the underlying WebLogic and Database patch layers.
- Apply Oracle’s May 2026 CPU to EBS Payments if you haven’t. The fix has been available roughly seven weeks — NVD’s initial publication date on the CVE is 2026-05-28. The delta between “patch available” and “patch applied” is what CISA is closing with today’s KEV addition. If your EBS shop is on the standard quarterly CPU cadence, the July 2026 CPU also carries the fix; either release closes the CVE.
- If your EBS Payments interface has ever been Internet-exposed and unpatched, treat this as a possible-compromise scenario. Review Payments File Transmission logs for anomalous file transfers, review Oracle Payments account activity for unfamiliar admin or service accounts, and rotate the credentials the Payments module holds for downstream payment-processor integrations. The compromise doesn’t stop at the ERP boundary — a taken-over Payments module has the credentials to talk to your acquirer and your bank.
- Non-Payments EBS modules: still patch, don’t defer. CVE-2026-46817 is scoped to Oracle Payments, but the May and July 2026 CPUs each carry dozens of other EBS fixes across HR, Financials, Manufacturing, and Order Management. This is the maintenance window; don’t split it into two outages for no benefit.
- Log-review pass on WebLogic and the front-end proxies. EBS 12.2 typically fronts Payments via WebLogic and Oracle HTTP Server. If the Payments endpoints have been reachable from untrusted networks, spot-check the WebLogic access logs and OHS logs for the same time windows as any anomalies in the Payments logs.
Priority call
Patch this ahead of everything else on this week’s backlog if EBS Payments is in your footprint. It ranks above the SharePoint chain CISA named this morning — those had a July 17 federal deadline; this one has “actively exploited today” behind it plus a seven-week-old patch, which is the worst combination you can face going into a weekend. It also ranks above the fresh Firefox flaws with public PoC from earlier today, because a taken-over EBS Payments module compromises the money-movement path, not just a workstation. Firefox is a fleet patch; Payments is a control failure with regulatory tails.
If you are running EBS Payments and can’t verify the patch state by Friday, that is the incident you should be calling the retainer about — not later.
Track future Oracle CPU advisories and KEV additions at /topics/oracle/.
Sourcing
- CISA. Known Exploited Vulnerabilities catalog entry for CVE-2026-46817, added 2026-07-15.
- NVD. CVE-2026-46817 record.
- Oracle. May 2026 Critical Patch Update advisory (cspumay2026).
- CISA. BOD 26-04 — Prioritizing Security Updates Based on Risk.
- [ CRITICAL ] CVE-2026-46817 Oracle E-Business Suite Payments improper privilege management (unauth RCE)
Found this useful? Share it.