INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Oracle E-Business Suite Flaw Exploited in Attacks
| 2026-06-30 05:04 CRITICAL LOWExecutive Summary AI-generated
The automotive industry is facing a critical security breach, with Nissan being among the companies impacted by a flaw in PeopleSoft software that exposed sensitive employee data. The vulnerability, CVE-2026-46817, was exploited by threat actors linked to the Cl0p ransomware operation, and has since been actively used in attacks on Oracle E-Business Suite and other systems. General Document Context suggests that this is not an isolated incident, with another critical flaw in the same product being weaponized by similar groups. The shortcoming impacts versions from 12.2.3 through 12.2.15, and patches were shipped as part of a Critical Security Patch Update last month. Organizations must assume compromise and activate incident response processes to determine whether access was obtained before patches were applied, what was accessed, and whether persistence was established.
Technical Mitigations AI-generated
* Implement a patch management strategy to ensure timely application of security patches for vulnerable systems, and consider using automated patch deployment tools.
* Conduct regular vulnerability assessments and penetration testing (VSTs) to identify potential weaknesses in Oracle E-Business Suite and other enterprise software applications.
* Educate users on the importance of keeping their operating systems and software up-to-date with the latest security patches, and provide training on how to properly configure and use these tools.
* Consider implementing a "zero-trust" approach to network access, where all devices are assumed to be malicious unless proven otherwise, and require additional authentication and authorization mechanisms for remote access.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-35273CVE-2026-35273
CVE-2024-21182CVE-2024-21182
CVE-2026-46817CVE-2026-46817
CVE-2025-61882CVE-2025-61882
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
EUROPE
EUROPE
Incident Timeline
2025/06/30
Threat actors linked to the Cl0p ransomware operation exploited a previously unknown flaw in Oracle E-Business Suite.
Click on any entity below to view its context and source!
tactic
Ransomware
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
vulnerability
CVE-2025-61882
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
organisation
CVSS
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
organisation
Cl0p
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
general_metric
9.8 year CVSS score
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
August 2025
Threat actors exploited a PeopleSoft Suite flaw, CVE-2026-35273.
Click on any entity below to view its context and source!
tactic
Ransomware
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
vulnerability
CVE-2025-61882
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
organisation
CVSS
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
organisation
Cl0p
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
general_metric
9.8 year CVSS score
Late last year, another critical flaw in the same product (
CVE-2025-61882
, CVSS score: 9.8) was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks launched as far back as August 2025.
organisation
Automaker Nissan
Automaker Nissan has since
acknowledged
that it was among those impacted, stating it was the victim of a break-in that involved the exploitation of the PeopleSoft flaw, potentially exposing payroll records, bank details, Social Security numbers, and other personal and financial data belong to its employees in the U.S., Canada, Mexico, and Brazil.
organisation
PeopleSoft
Automaker Nissan has since
acknowledged
that it was among those impacted, stating it was the victim of a break-in that involved the exploitation of the PeopleSoft flaw, potentially exposing payroll records, bank details, Social Security numbers, and other personal and financial data belong to its employees in the U.S., Canada, Mexico, and Brazil.
organisation
Social Security
Automaker Nissan has since
acknowledged
that it was among those impacted, stating it was the victim of a break-in that involved the exploitation of the PeopleSoft flaw, potentially exposing payroll records, bank details, Social Security numbers, and other personal and financial data belong to its employees in the U.S., Canada, Mexico, and Brazil.
organisation
ShinyHunters
Earlier this month, the company addressed a critical missing authentication zero-day vulnerability in PeopleSoft Suite (
CVE-2026-35273
, CVSS score: 9.8) that was actively exploited in ShinyHunters data theft and extortion attacks.
organisation
Knott
"
Knott also pointed out that threat actors are exploiting vulnerabilities faster than ever before, urging organizations to assume compromise and activate incident response processes to determine whether access was obtained before patches were applied, what was accessed, and whether persistence was established.
early August 2025
The Clop extortion gang exploited a newly discovered vulnerability in the Oracle E-Business Suite, CVE-2025-61882.
Click on any entity below to view its context and source!
vulnerability
CVE-2025-61882
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
tactic
Extortion
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
organisation
Harvard University
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
organisation
the
University of Pennsylvania
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
organisation
Dartmouth College
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
organisation
the
University of Phoenix
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
organisation
Washington Post
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
organisation
Logitech
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
organisation
GlobalLogic
Oracle EBS instances exposed online (Shadowserver)
The Clop extortion gang
exploited another Oracle EBS security flaw
(CVE-2025-61882) in zero-day attacks targeting multiple U.S. universities (including
Harvard University
, the
University of Pennsylvania
,
Dartmouth College
, and the
University of Phoenix
), the
Washington Post
,
Logitech
, and GlobalLogic since
early August 2025
.
May 2026
Oracle released security updates to address the vulnerability with its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately.
Click on any entity below to view its context and source!
organisation
Oracle
Oracle released security updates to address the vulnerability with its
May 2026 Critical Security Patch Update
and urged customers to patch their systems immediately.
2026/05/31
Threat actors exploited CVE-2026-46817 in the wild using Patches provided by Oracle as part of its Critical Security Patch Update.
Click on any entity below to view its context and source!
organisation
Critical Security Patch Update
Patches for the flaw were
shipped
by Oracle as part of its Critical Security Patch Update last month.
Jun 30, 2026
Threat actors used an exploit of CVE-2026-46817 in the wild to target Oracle Payments instances.
Click on any entity below to view its context and source!
organisation
Oracle Payments
The vulnerability, tracked as
CVE-2026-46817
(CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Payments that could be abused to take over susceptible instances.
organisation
CVE-2026-46817
CVE-2026-46817 has since come under active exploitation, with Defused Cyber
noting
on Monday that "over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots," adding "this vulnerability has no known previous exploitation and no public PoC
organisation
Oracle E-Business
CVE-2026-46817 has since come under active exploitation, with Defused Cyber
noting
on Monday that "over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots," adding "this vulnerability has no known previous exploitation and no public PoC
infrastructure
12.2.3
"
The shortcoming impacts versions from 12.2.3 through 12.2.15.
infrastructure
12.2.15
"
The shortcoming impacts versions from 12.2.3 through 12.2.15.
organisation
the NIST National Vulnerability Database
"Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments," according to a description of the flaw in the NIST National Vulnerability Database (NVD).
organisation
NVD
"Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments," according to a description of the flaw in the NIST National Vulnerability Database (NVD).
2026/06/30
Hackers have begun exploiting a critical Oracle E-Business Suite (EBS) financial application flaw, CVE-2026-46817.
Click on any entity below to view its context and source!
organisation
CVE-2026-35273
Weeks later, the company
mitigated a critical PeopleSoft Suite zero-day vulnerability
(CVE-2026-35273), which was
actively exploited in ShinyHunter data theft attacks
and allows unauthenticated remote code execution.
organisation
ShinyHunter
Weeks later, the company
mitigated a critical PeopleSoft Suite zero-day vulnerability
(CVE-2026-35273), which was
actively exploited in ShinyHunter data theft attacks
and allows unauthenticated remote code execution.
organisation
Vulnerability / Enterprise
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild.
Ravie Lakshmanan
Jun 30, 2026
Vulnerability / Enterprise Software
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber.
organisation
Oracle E-Business Suite
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild.
Ravie Lakshmanan
Jun 30, 2026
Vulnerability / Enterprise Software
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber.
organisation
Oracle EBS
CVE-2026-46817 exploitation (Defused)
Internet security watchdog group Shadowserver now
tracks over 450 Oracle EBS instances
exposed online, with nearly 200 in the United States and in Europe.
organisation
Defused
"
While Oracle has yet to flag the CVE-2026-46817 flaw as exploited in the wild, Defused said on Monday that attackers are now actively exploiting it, with the first attempts spotted over the weekend.
organisation
Oracle Payments
This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.
organisation
File Transmission
This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.
organisation
EBS
This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.
organisation
Oracle E-Business
Hackers now exploit critical Oracle E-Business flaw in attacks.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
12.2.3
Software Version
Click for context!
"
The shortcoming impacts versions from 12.2.3 through 12.2.15.
Metrics
infrastructure
12.2.15
Software Version
"
The shortcoming impacts versions from 12.2.3 through 12.2.15.
Intelligence Sources
BleepingComputer
2026-06-29
Hackers now exploit critical Oracle E-Business flaw in attacks
BleepingComputer
The Hacker News
2026-06-30
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-30T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
31x
organisation
Identified Entity
Automaker Nissan
entity
8x
timeline
Temporal Reference
2025/06/30
date
4x
target region
Target Country
Canada
country
4x
vulnerability
Exploited CVE
CVE-2025-61882
cve
3x
tactic
Cyber Operation Type
Ransomware
tactic
3x
attribution
Attributing Entity
EBS
authority
2x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
2x
infrastructure
Software Version
12.2.3
version
2x
general metric
%
54
%
Contextual Telemetry
Context Block
7 METRICS
general metric
Year Cvss Score
10
year cvss score
general metric
Jun
30
jun
target region
Target Region
EUROPE
region
general metric
Oracle Ebs
450
oracle ebs
general metric
Vulnerabilities
44
vulnerabilities
general metric
Wild
13
wild
vulnerability
CVSS Score
10
score
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.