Patch Oracle E-Business Suite Payments Before the New KEV Deadline

The Hacker News image for coverage of CVE-2026-46817 exploitation.The Hacker News
The Hacker News image for coverage of CVE-2026-46817 exploitation.The Hacker News
Tools & Apps

CISA added CVE-2026-46817 to the KEV catalog with a July 18 deadline after evidence of active exploitation. Oracle E-Business Suite teams should patch Oracle Payments, check exposure, and run compromise triage before treating the fix as complete.

CISA has added Oracle E-Business Suite CVE-2026-46817 to the Known Exploited Vulnerabilities catalog. Confidence level: confirmed. The issue affects Oracle Payments in E-Business Suite, and CISA's new KEV entry gives federal agencies a July 18, 2026 due date under the current risk-prioritized remediation rules.

What changed

On July 15, 2026, CISA added CVE-2026-46817 and CVE-2023-4346 to the KEV catalog based on evidence of active exploitation. The Oracle entry is the broader enterprise risk for most LinkLoot readers because it affects Oracle E-Business Suite Payments, a financial workflow component often connected to sensitive payment processes.

NVD describes CVE-2026-46817 as an easily exploitable Oracle Payments vulnerability in the File Transmission component. It affects supported Oracle E-Business Suite versions 12.2.3 through 12.2.15 and can be exploited over HTTP without authentication.

ItemProductWhy it mattersDeadline signalFirst check
CVE-2026-46817Oracle E-Business Suite PaymentsUnauthenticated HTTP path to compromise Oracle PaymentsCISA due date: July 18, 2026Patch status and internet exposure
CVE-2023-4346KNX Protocol Connection Authorization Option 1Could allow device purge and BCU key lockout in exposed KNX setupsCISA due date: July 29, 2026Building automation exposure

Why this is early

This post is early because the KEV addition is from July 15, 2026, while the Oracle patch source is older. That distinction matters. Oracle published the security advisory in May, but CISA's KEV move changes the urgency because it confirms active exploitation for prioritization.

The independent context lines up with that timeline. The Hacker News reported exploitation activity in late June based on Defused Cyber observations, while NVD and Oracle provide the product, affected-version, and severity details. LinkLoot is treating CISA as the action trigger.

Key takeaways

  • CVE-2026-46817 is now in CISA KEV, which means CISA has evidence of active exploitation.
  • The affected Oracle product is E-Business Suite Oracle Payments, specifically the File Transmission component.
  • NVD lists affected versions as 12.2.3 through 12.2.15 and gives the CVSS 3.1 base score as 9.8.
  • CISA's KEV entry names July 18, 2026 as the due date for this Oracle item.
  • Patching is not the whole job; exposed systems need triage for possible compromise.

Availability and access

Oracle's May 2026 Critical Security Patch Update is the vendor source to review first. CISA's KEV entry points organizations to vendor mitigations, BOD 26-04 guidance, and forensics triage requirements. If Oracle E-Business Suite is externally reachable, do not wait for a monthly patch cycle to classify it.

Teams outside U.S. federal agencies should still treat KEV as a priority signal. The catalog is not limited to government risk; it is a practical list of vulnerabilities that defenders know attackers are exploiting.

Practical LinkLoot angle

The useful workflow is simple: inventory, patch, exposure check, evidence review. Find every Oracle E-Business Suite instance, confirm whether Oracle Payments is enabled, check version and patch level, and identify HTTP exposure through VPN, reverse proxy, WAF, or direct internet paths.

For finance-heavy environments, route the review through both security and application owners. Payment workflows often have brittle integrations, so test the fix, but do not let integration anxiety become a reason to leave an exploited payment component exposed.

If your team automates vulnerability intake, use LinkLoot's AI workflow automation guide to turn KEV checks into a repeatable review path with human approval before production changes.

What to verify before you act

  • Confirm whether any Oracle E-Business Suite instance runs versions 12.2.3 through 12.2.15.
  • Check Oracle's May 2026 advisory and My Oracle Support guidance for the exact patch or mitigation path.
  • Review CISA's KEV entry, BOD 26-04 language, and forensics triage guidance for remediation timing.
  • Inspect internet exposure, WAF logs, application logs, authentication anomalies, and payment-file activity.
  • Validate that backup, rollback, and business-process tests are ready before patching production finance systems.

Source check

Confirmed by: CISA says it added CVE-2026-46817 to the KEV catalog on July 15, 2026 based on active exploitation evidence. The KEV catalog lists Oracle E-Business Suite Oracle Payments, a July 18 due date, and required action tied to vendor instructions and BOD 26-04. Oracle and NVD confirm the product, component, affected versions, unauthenticated HTTP exploitability, and severity.

Independent context: The Hacker News reported late-June exploitation observations attributed to Defused Cyber and connected the issue to Oracle E-Business Suite Payments. LinkLoot treats CISA and Oracle as the operational sources and the security-news coverage as context for exploitation timing.

FAQ

It is an Oracle E-Business Suite Oracle Payments vulnerability in the File Transmission component that can allow unauthenticated HTTP-based compromise.