Regulatory Triage ICT Providers

Oracle Database

Databases & Data Platforms

Period: 7d 14d 30d 90d

Open CVEs

Exploited

KEV

Unpatched

No Workaround

Internet-facing

Why this provider is risky now

This provider has 29 open CVE(s) in the last 7 days. 27 have no vendor patch. 16 affect internet-facing services. 16 impact the management/identity plane.

27 Unpatched 16 Mgmt / Admin Plane 5 No Workaround 16 Internet-facing

Top Risky CVEs

CVE-2026-46840

Act Now

Unpatched

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.

Within 24 hours: Inventory all ORDS deployments and identify instances running versions 24.2.0-26.1.0; isolate vulnerable ORDS instances using network segmentation; enable audit logging on all ORDS instances. Within 7 days: Deploy Web Application Firewall (WAF) or Intrusion Prevention System (IPS) rules targeting CVE-2026-46840; restrict ORDS network access to authorized clients and IP ranges only; increase security monitoring and alerting frequency. Within 30 days: Contact Oracle for patched version availability and security timeline; develop and test ORDS upgrade plan; conduct comprehensive security assessment of all systems connected to potentially compromised ORDS instances.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Improper Access Control)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

10.0

CVSS

0.0%

EPSS

Priority

CVE-2026-46775

Act Now

Unpatched

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.

Within 24 hours: Conduct inventory of all ORDS instances running versions 24.2.0-26.1.0 and document their network access paths and data connectivity. Within 7 days: Implement strict network access controls (IP whitelisting, WAF rules, firewall policies) limiting ORDS connections to necessary systems only; enable detailed audit logging on all ORDS instances. Within 30 days: Monitor Oracle security advisories for patch release; prepare and test upgrade procedures for all affected instances; evaluate temporary workload migration for critical applications if feasible while awaiting patch.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Improper Access Control)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

9.9

CVSS

0.0%

EPSS

Priority

CVE-2026-46822

Act Now

Unpatched

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.

Within 24 hours: Identify all systems running Oracle E-Business Suite versions 12.2.3-12.2.15; document iAssets deployment scope and user access patterns; review authentication logs for suspicious account activity. Within 7 days: Implement network segmentation restricting iAssets HTTP access to authorized users and networks only; enforce multi-factor authentication on all iAssets administrative accounts; disable iAssets component if operationally feasible. Within 30 days: Monitor Oracle security advisories for patch release; prioritize upgrade to versions beyond 12.2.15 when patch becomes available, or evaluate migration to Oracle Cloud Applications as long-term remediation.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Improper Access Control)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

9.9

CVSS

0.0%

EPSS

Priority

CVE-2026-46824

Act Now

Unpatched

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows low-privileged remote attackers over HTTP to fully compromise the product with confidentiality, integrity, and availability impact. The CVSS 9.9 score reflects a scope-changing flaw whose blast radius extends to other Oracle E-Business Suite products beyond Universal Work Queue itself. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority Oracle Critical Patch Update item.

Within 24 hours: Inventory all Oracle E-Business Suite deployments and identify instances running versions 12.2.3 through 12.2.15. Within 7 days: Restrict HTTP network access to Universal Work Queue administration interfaces via firewall/WAF rules; enable enhanced authentication logging and real-time alerting on suspicious account activity. Within 30 days: Subscribe to Oracle Critical Patch Update channels; prepare emergency change management procedures to deploy patched versions (12.2.15-patch or later) immediately upon vendor release.

ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Improper Privilege Management)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

9.9

CVSS

0.0%

EPSS

Priority

CVE-2026-46839

Act Now

Unpatched

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. The scope-change designation is the key differentiator - successful exploitation extends beyond ORDS itself into systems it fronts, most notably the backing Oracle Database.

Within 24 hours: Identify and inventory all systems running ORDS 24.2.0 through 26.1.0; assess network exposure and access paths to affected instances. Within 7 days: Implement network segmentation restricting ORDS access to authorized internal sources only; enable enhanced logging on ORDS endpoints and database authentication; rotate credentials for service accounts with ORDS access. Within 30 days: Monitor Oracle security advisories for patch availability; conduct architecture review to isolate ORDS from direct database connectivity; develop and test upgrade strategy to a patched ORDS version once released.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Improper Access Control)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

9.9

CVSS

0.0%

EPSS

Priority

CVE-2026-34311

Act Now

Unpatched

Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.

Within 24 hours: Identify all systems running OPERA 5 versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, or 5.6.28; assess network exposure and restrict HTTP access to trusted administrative networks only via firewall rules. Within 7 days: Deploy network-based access restrictions (WAF/load balancer rules); enable comprehensive logging and real-time alerting for OPERA 5 anomalous activity. Within 30 days: Establish daily monitoring of Oracle security advisories for patch release; evaluate upgrade paths or air-gap deployment options for affected properties; prioritize remediation workflow for immediate deployment once patch is available.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Oracle Database
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available

9.8

CVSS

0.0%

EPSS

Priority

CVE-2026-46817

Act Now

Unpatched

Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory.

Within 24 hours: Identify all Oracle E-Business Suite instances in your environment and document which are running versions 12.2.3-12.2.15. Contact Oracle support to confirm patch timeline and request vulnerability management guidance. Within 7 days: Implement firewall rules restricting HTTP access to the Payments module to authorized administrative networks only; consider disabling the File Transmission component if operationally feasible; increase monitoring of Payments module activity logs for anomalous access. Within 30 days: Plan and schedule upgrade to Oracle E-Business Suite versions 12.2.16 or later (once Oracle confirms patch availability); document baseline access patterns to identify exploitation attempts during the interim period.

ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Improper Privilege Management)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

9.8

CVSS

0.0%

EPSS

Priority

CVE-2026-46819

Act Now

Unpatched

Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.

24 hours: Inventory all Oracle E-Business Suite instances running versions 12.2.3-12.2.15 and identify any with internet-exposed Oracle Internet Procurement Connector endpoints. 7 days: Restrict HTTP/HTTPS access to the vulnerable component to internal networks only through network segmentation, WAF rules, or access control lists; enable detailed logging on procurement module transactions. 30 days: Contact Oracle support for patch status and timeline; evaluate decommissioning or version upgrade for affected EBS systems; conduct penetration testing to validate compensating control effectiveness.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Improper Access Control)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

9.1

CVSS

0.0%

EPSS

Priority

CVE-2026-46833

Act Now

Unpatched

Net Service takeover in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated remote attackers reaching the TLS-protected Net Service listener to fully compromise confidentiality, integrity, and availability, with scope change indicating impact on adjacent components. CVSS 9.0 reflects high impact tempered by high attack complexity (AC:H), and no public exploit identified at time of analysis. Reported and tracked in Oracle's May 2026 Critical Patch Update advisory.

Within 24 hours: Identify all Oracle Database Server instances running versions 23.4.0-23.26.2; restrict network access to TLS-protected Net Service listeners to known trusted sources only; enable verbose logging on affected systems. Within 7 days: Complete asset inventory of all affected databases; contact Oracle support to confirm patch availability and unaffected version options (23.3.x or earlier, if available); plan upgrade or downgrade timeline. Within 30 days: Execute remediation (upgrade to patched version once released, or downgrade to unaffected versions); validate resolution; complete network segmentation review.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Oracle Database
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available

9.0

CVSS

0.0%

EPSS

Priority

CVE-2026-46826

This Week

Unpatched

Account takeover in Oracle Payroll (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker with HTTPS network access to fully compromise the Payroll application. The CVSS 8.8 vector indicates low complexity and no user interaction, meaning any authenticated EBS user can pivot to full confidentiality, integrity, and availability impact on Payroll. No public exploit identified at time of analysis, but the issue was disclosed in Oracle's Critical Patch Update advisory and warrants prompt patching given the sensitivity of payroll data.

Within 24 hours: Identify all EBS systems running Payroll versions 12.2.3-12.2.15 and restrict module access to essential users only; enable detailed audit logging on all Payroll transactions. Within 7 days: Implement network segmentation to limit Payroll module accessibility and escalate to Oracle Support to obtain patch availability timeline. Within 30 days: Apply vendor-released patch immediately upon availability or plan emergency upgrade to patched version; validate remediation through security testing.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-306: Missing Authentication for Critical Function)
• Third-party ICT: Oracle Database
• No patch available
• Management plane (Missing Authentication for Critical Function)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Oracle Database (Databases & Data Platforms)
• No remediation available
• Authentication / access control weakness

8.8

CVSS

0.0%

EPSS

Priority

By Exposure

Internet-facing

Mgmt / Admin Plane

Identity / Auth

Internal only

By Exploitability

Known exploited

Public PoC

High EPSS (>30%)

Remote unauthenticated

Local only

By Remediation

Patch available

No patch

Workaround available

No workaround

Affected Services / Product Families

Oracle

29 CVE(s)

CVE-2025-69600 HIGH Unpatched

CVE-2026-34311 CRITICAL Unpatched

CVE-2026-35266 HIGH Unpatched

CVE-2026-35277 HIGH Unpatched

CVE-2026-46775 CRITICAL Unpatched

CVE-2026-46817 CRITICAL Unpatched

CVE-2026-46818 HIGH Unpatched

CVE-2026-46819 CRITICAL Unpatched

CVE-2026-46820 HIGH Unpatched

CVE-2026-46821 HIGH Unpatched

+ 19 more

Recommended Actions

Evaluate compensating controls for 5 unpatched CVE(s) with no workaround Review WAF/firewall rules for 16 internet-facing CVE(s) Audit authentication and access control for 16 management-plane CVE(s) Escalate to Oracle Database – patch rate is 7% Track Oracle Database vendor advisories for remediation timeline