This vulnerability affects Oracle Payments within Oracle E-Business Suite versions 12.2.3 to 12.2.15, specifically in the File Transmission component. It permits unauthenticated remote attackers to exploit the system over HTTP without any user interaction or privileges, leading to full compromise of Oracle Payments. The CVSS 3.1 score of 9.8 reflects critical severity with complete impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 security patches across multiple products. The vendor strongly urges immediate application of these patches and recommends testing any temporary mitigations on non-production systems due to potential functionality impacts.

Successful exploitation allows an unauthenticated attacker with network access via HTTP to take over Oracle Payments, compromising confidentiality, integrity, and availability of the system. This could lead to unauthorized access, data manipulation, and service disruption within Oracle Payments. No known exploits in the wild have been reported at this time. The vulnerability affects multiple supported versions of Oracle E-Business Suite, increasing the potential impact across organizations using these versions.

Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply these patches as soon as possible to remediate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, but these are temporary measures and may disrupt application functionality. Oracle strongly recommends testing any such mitigations in non-production environments. Staying on actively supported versions and promptly applying Oracle security patches is critical to maintaining security.