Patch Oracle E-Business Suite Payments Before the New KEV Deadline
CISA added CVE-2026-46817 to the KEV catalog with a July 18 deadline after evidence of active exploitation. Oracle E-Business Suite teams should patch Oracle Payments, check exposure, and run compromise triage before treating the fix as complete.
CISA has added Oracle E-Business Suite CVE-2026-46817 to the Known Exploited Vulnerabilities catalog. Confidence level: confirmed. The issue affects Oracle Payments in E-Business Suite, and CISA's new KEV entry gives federal agencies a July 18, 2026 due date under the current risk-prioritized remediation rules.
What changed
On July 15, 2026, CISA added CVE-2026-46817 and CVE-2023-4346 to the KEV catalog based on evidence of active exploitation. The Oracle entry is the broader enterprise risk for most LinkLoot readers because it affects Oracle E-Business Suite Payments, a financial workflow component often connected to sensitive payment processes.
NVD describes CVE-2026-46817 as an easily exploitable Oracle Payments vulnerability in the File Transmission component. It affects supported Oracle E-Business Suite versions 12.2.3 through 12.2.15 and can be exploited over HTTP without authentication.
| Item | Product | Why it matters | Deadline signal | First check |
|---|---|---|---|---|
| CVE-2026-46817 | Oracle E-Business Suite Payments | Unauthenticated HTTP path to compromise Oracle Payments | CISA due date: July 18, 2026 | Patch status and internet exposure |
| CVE-2023-4346 | KNX Protocol Connection Authorization Option 1 | Could allow device purge and BCU key lockout in exposed KNX setups | CISA due date: July 29, 2026 | Building automation exposure |
Why this is early
This post is early because the KEV addition is from July 15, 2026, while the Oracle patch source is older. That distinction matters. Oracle published the security advisory in May, but CISA's KEV move changes the urgency because it confirms active exploitation for prioritization.
The independent context lines up with that timeline. The Hacker News reported exploitation activity in late June based on Defused Cyber observations, while NVD and Oracle provide the product, affected-version, and severity details. LinkLoot is treating CISA as the action trigger.
Key takeaways
- CVE-2026-46817 is now in CISA KEV, which means CISA has evidence of active exploitation.
- The affected Oracle product is E-Business Suite Oracle Payments, specifically the File Transmission component.
- NVD lists affected versions as 12.2.3 through 12.2.15 and gives the CVSS 3.1 base score as 9.8.
- CISA's KEV entry names July 18, 2026 as the due date for this Oracle item.
- Patching is not the whole job; exposed systems need triage for possible compromise.
Availability and access
Oracle's May 2026 Critical Security Patch Update is the vendor source to review first. CISA's KEV entry points organizations to vendor mitigations, BOD 26-04 guidance, and forensics triage requirements. If Oracle E-Business Suite is externally reachable, do not wait for a monthly patch cycle to classify it.
Teams outside U.S. federal agencies should still treat KEV as a priority signal. The catalog is not limited to government risk; it is a practical list of vulnerabilities that defenders know attackers are exploiting.
Practical LinkLoot angle
The useful workflow is simple: inventory, patch, exposure check, evidence review. Find every Oracle E-Business Suite instance, confirm whether Oracle Payments is enabled, check version and patch level, and identify HTTP exposure through VPN, reverse proxy, WAF, or direct internet paths.
For finance-heavy environments, route the review through both security and application owners. Payment workflows often have brittle integrations, so test the fix, but do not let integration anxiety become a reason to leave an exploited payment component exposed.
If your team automates vulnerability intake, use LinkLoot's AI workflow automation guide to turn KEV checks into a repeatable review path with human approval before production changes.
What to verify before you act
- Confirm whether any Oracle E-Business Suite instance runs versions 12.2.3 through 12.2.15.
- Check Oracle's May 2026 advisory and My Oracle Support guidance for the exact patch or mitigation path.
- Review CISA's KEV entry, BOD 26-04 language, and forensics triage guidance for remediation timing.
- Inspect internet exposure, WAF logs, application logs, authentication anomalies, and payment-file activity.
- Validate that backup, rollback, and business-process tests are ready before patching production finance systems.
Source check
Confirmed by: CISA says it added CVE-2026-46817 to the KEV catalog on July 15, 2026 based on active exploitation evidence. The KEV catalog lists Oracle E-Business Suite Oracle Payments, a July 18 due date, and required action tied to vendor instructions and BOD 26-04. Oracle and NVD confirm the product, component, affected versions, unauthenticated HTTP exploitability, and severity.
Independent context: The Hacker News reported late-June exploitation observations attributed to Defused Cyber and connected the issue to Oracle E-Business Suite Payments. LinkLoot treats CISA and Oracle as the operational sources and the security-news coverage as context for exploitation timing.
It is an Oracle E-Business Suite Oracle Payments vulnerability in the File Transmission component that can allow unauthenticated HTTP-based compromise.
