Advertisement

Researchers spot exploitation of another critical Oracle defect

The defect impacts a popular collection of business applications that attackers have hit before in widespread attack sprees.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Oracle (Getty Images)
Oracle (Getty Images)

A cybercriminal exploited a critical defect Saturday in the payments processing feature of Oracle E-Business Suite that could mark the early stages of a potentially broader campaign, researchers said.

Defused, a threat intelligence firm, spotted six instances of exploitation during a two-hour window on its honeypots, or decoys designed to monitor malicious activity in non-production environments, Simo Kohonen, founder and CEO of the company, told CyberScoop.

Oracle disclosed and patched the vulnerability, which is tracked as CVE-2026-46817 with a 9.8 severity rating, in late May and warned that exploitation complexity is low.

Kohonen said the exploits were attributed to a single IP address and occurred before any proof-of-concepts were publicly available. 

Advertisement

“With only one IP and one day of data, it reads more like reconnaissance and weaponization testing than a targeted campaign against a specific victim,” he added.

The potential expansion of malicious activity on live networks could be significant. Shadowserver scans found about 950 potentially vulnerable instances of Oracle E-Business Suite on Wednesday, and more than half of those publicly exposed deployments are based in the United States. 

The defect impacts a popular collection of business applications that attackers have hit before in widespread attack sprees. 

The notorious Clop ransomware group attempted to extort dozens of victims after it exploited a zero-day and other vulnerabilities in Oracle E-Business Suite last year. The aggressive extortion campaign got underway in October, roughly two months after Clop exploited the defect and stole data en masse.

Oracle customers were more recently impacted by an actively exploited zero-day vulnerability in PeopleSoft, which includes more than 40 tools for human resources and customer relationship management. 

Advertisement

ShinyHunters, the group behind that attack spree dating back to late May, potentially infiltrated the networks of more than 100 organizations mostly in higher education, according to Mandiant and Google Threat Intelligence Group.

Matt Kapko

Written by Matt Kapko

Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University.

Latest Podcasts