- Product: Oracle Corporation Oracle Payments, KNX Association KNX Protocol Connection Authorization Option 1
- Vulnerabilities: 2 flaws (CVE-2026-46817, CVE-2023-4346)
- Highest severity: 9.8 (Critical · CVSSv3)
- Worst impact: Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File...
- Status: 2 exploited
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-46817 | 9.8 | CWE-269 | Exploited |
| CVE-2023-4346 | 7.5 | CWE-645 | Exploited |
TL;DR
The CISA KEV catalog gained two entries on July 15, 2026. The agency confirmed active exploitation of CVE-2026-46817 in Oracle E-Business Suite and CVE-2023-4346 in KNX building automation devices. Federal agencies must remediate both under Binding Operational Directive 22-01.
Why It Matters
A KEV listing means attackers are abusing these flaws right now, not in theory. The Oracle bug scores 9.8 (Critical) and sits in Oracle Payments, which handles corporate payment flows. According to Shadowserver estimates cited in press reports, roughly 950 Oracle EBS instances remain exposed online. Meanwhile, the KNX flaw can lock owners out of building automation hardware.
How the Attacks Work
CVE-2026-46817: Oracle Payments Takeover
Unauthenticated attackers send crafted HTTP requests to the File Transmission component of Oracle Payments. Successful attacks lead to a takeover of the module, per the CISA alert. Threat intelligence firm Defused first observed in-the-wild exploitation against its honeypots on June 27, 2026, before any public proof-of-concept existed.
CVE-2023-4346: KNX Device Lockout
KNX devices that support Connection Authorization Option 1 rely on a BCU key password that often cannot be reset. An attacker with network or physical access can purge unprotected devices and set their own BCU key. As a result, owners lose access to their own hardware.
Affected Versions
The Oracle flaw affects Oracle E-Business Suite versions 12.2.3 through 12.2.15. The KNX issue affects devices that use KNX Connection Authorization and support Option 1, depending on the implementation.
Patch and Mitigation
Oracle fixed CVE-2026-46817 in its May 2026 Critical Security Patch Update, so apply it now and keep EBS interfaces off the public internet. For KNX gear, follow vendor guidance and isolate installations from untrusted networks. Additionally, the CISA KEV catalog deadline obliges federal agencies to remediate on schedule.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.