← Blog · · df00tech

CISA KEV Alert: Oracle E-Business Suite Privilege Escalation Under Active Exploitation (CVE-2026-46817)

vuln-intel Oracle CVE-2026-46817

Overview

CVE-2026-46817 is an improper privilege management vulnerability in Oracle E-Business Suite (EBS) affecting the application and concurrent manager components. The flaw maps to CWE-269 (Improper Privilege Management), CWE-287 (Improper Authentication), and CWE-306 (Missing Authentication for Critical Function). In combination, these weaknesses allow unauthenticated or low-privileged actors to bypass authentication controls and escalate privileges within EBS, potentially reaching highly sensitive application roles.

Affected Software

  • Vendor: Oracle
  • Product: E-Business Suite
  • Affected versions: Not specified in the current advisory data

Organizations running EBS should treat this as applicable to their environment pending vendor-confirmed version guidance, and prioritize identifying internet-facing or otherwise exposed EBS servlet endpoints.

Exploitation Status

This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog and is subject to Binding Operational Directive (BOD) 26-04 remediation timelines. KEV listing confirms active, in-the-wild exploitation — this is not theoretical risk. Federal agencies face mandated patch/mitigation deadlines under BOD 26-04, and all defenders should treat this as an urgent, high-priority remediation item rather than a routine patch cycle candidate.

Detection Coverage

df00tech ships detection logic for CVE-2026-46817 across Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), IBM QRadar (AQL), Sumo Logic, Google Chronicle (YARA-L), and CrowdStrike (CQL). The detection logic focuses on four correlated behavior patterns:

  • Anomalous authentication bypass patterns against EBS login and session-handling flows
  • Privilege escalation events resulting in access to the APPS or SYSADMIN roles
  • Unexpected or unauthorized concurrent manager job submissions, which are a common post-exploitation mechanism for command execution in EBS
  • Suspicious HTTP requests to specific EBS servlet endpoints known to be associated with published exploitation chains

By correlating web-tier request anomalies with application-layer privilege and job-submission events, the detections aim to catch both the initial exploitation attempt and follow-on abuse, rather than relying on a single indicator.

Given active KEV exploitation and BOD 26-04 timelines, security teams should validate exposure of EBS servlet endpoints, monitor for the behaviors above, and prioritize patching or compensating controls immediately. Full detection logic, including the KQL, SPL, and other SIEM queries, is available on the CVE-2026-46817 detection page.

Get new detections in your inbox

New ATT&CK coverage plus CISA KEV / CVE detection rules, roughly weekly. No spam, unsubscribe anytime.