On July 15, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) placed two vulnerabilities on its Known Exploited Vulnerabilities (KEV) catalog—confirmation that attackers are actively using both in real-world breaches. One, identified as CVE-2026-46817, is a 9.8-severity flaw in Oracle E-Business Suite’s Payments module that hands complete control to an unauthenticated remote attacker via a simple HTTP request. The other, CVE-2023-4346, is a years-old weakness in the KNX building-automation protocol that lets adversaries lock facility operators out of lighting, HVAC, and other critical physical systems. For Windows-focused IT teams, neither should be dismissed as someone else’s problem.
Two Flaws, One Urgent Patch Window
CISA’s KEV catalog isn’t a list of every severe vulnerability—it’s a curated collection of those being actively exploited in the wild. Inclusion means there is credible evidence that threat actors are already using these flaws to compromise organizations, making immediate remediation a non-negotiable priority, not just for federal civilian agencies bound by Binding Operational Directive 26-04, but for any enterprise that doesn’t want to become the next victim.
The Oracle Flaw: Unauthenticated Payments Takeover
CVE-2026-46817 affects the File Transmission component of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15. Oracle first disclosed and patched the vulnerability in its May 28, 2026 Critical Security Patch Update, which delivered fixes for 12 new E-Business Suite vulnerabilities—three of them remotely exploitable with no authentication. Despite a patch being available, exploitation didn’t stay theoretical. On June 27, threat-intelligence firm Defused recorded active exploitation attempts against its Oracle E-Business Suite honeypots, before any public proof-of-concept was known. Two days later, on June 29, NHS England’s National Cyber Security Operations Centre warned that further exploitation was “highly likely.”
That timeline removes any doubt: if your organization runs an affected Oracle Payments instance and you haven’t applied the May 2026 patch, you are living on borrowed time. The technical details are stark. The vulnerability stems from improper privilege management, improper authentication, and a missing check on a critical function—all reachable over HTTP without credentials or user interaction. A successful attack grants the adversary full control of Oracle Payments, with high impact to confidentiality, integrity, and availability. In short, an attacker can walk through the virtual front door and own the system, no password required.
The KNX Protocol Weakness: A Lockout Threat
CVE-2023-4346 was first disclosed in 2023, but its July 2026 KEV addition signals that it’s now part of active attack campaigns. This vulnerability is different: it targets KNX devices that use Connection Authorization Option 1 and can allow an attacker with network access to lock legitimate operators out. KNX is the backbone of building automation for lighting, heating, ventilation, air conditioning, shutters, and access control in hospitals, campuses, data centers, and commercial facilities.
The weak spot lies in the protocol’s BCU key mechanism, which can be abused to set a device password that the legitimate operator cannot reset without knowing the existing password. The result is an availability failure—operators are denied access to their own building systems. With a CVSS 3.1 score of 7.5, it’s rated lower than the Oracle flaw, but the operational impact can still be severe. Imagine a hospital where staff can’t adjust critical environmental controls, or a data center where cooling systems become unmanageable.
Why KEV Inclusion Changes the Timeline
KEV entry isn’t just a label; it reshapes the remediation playbook. For Federal Civilian Executive Branch agencies, BOD 26-04 mandates rapid remediation for KEV vulnerabilities on publicly exposed assets when exploitation could grant total control. More importantly, the directive sets expectations for compromise assessment: agencies must determine whether an attacker entered before the patch was applied. That’s especially critical for CVE-2026-46817, because exploitation was observed weeks after the fix shipped, leaving a window for unpatched organizations to have been silently compromised.
Private organizations aren’t legally bound by the directive, but CISA strongly encourages everyone to follow its risk-based model. That means patching is just the first step. You need to hunt for signs of previous intrusion and be honest about what full remediation looks like. The KEV catalog is not sorted by CVSS score—it’s sorted by real-world exploitation. That changes the order of your worklist.
Where Windows Teams Fit In
On the surface, neither vulnerability is a Windows CVE. Yet most modern enterprises are deeply interconnected. Oracle E-Business Suite typically ties into Active Directory for identity management, Windows file servers for document storage, Windows-based SQL Server installations, and endpoint management tools. A takeover of Oracle Payments could easily become a lateral move into your Windows domain. Similarly, KNX installations frequently rely on Windows workstations running engineering and building-management software; compromise there could pivot to the corporate LAN or disrupt physical processes that IT and security teams aren’t prepared to handle.
For Windows administrators, this means you can’t simply forward the alert to the ERP team or facilities group and close the ticket. You must verify that affected systems exist in your environment, confirm who is responsible for patching and log review, and understand the blast radius of a compromise. Asset ownership is often the immediate test: Oracle E-Business Suite might live under business applications, while KNX belongs to facilities or an external integrator. Yet both may depend on Windows infrastructure for management, authentication, and backups. Inventory those dependencies now.
Immediate Actions for IT and Facilities
For Oracle E-Business Suite environments:
- Apply Oracle’s May 2026 Critical Security Patch Update (or a later applicable update) immediately. Oracle’s advisory for Release 12 customers is available via My Oracle Support.
- If you are running a sustaining-support or end-of-life release, start planning a migration to a supported version. Patches for obsolete versions may not mitigate the risk completely.
- Preserve and review logs from Oracle E-Business Suite web servers, application servers, authentication services, file transfer components, and reverse proxies. Focus on the period from May 28, 2026, onward. Look for:
- Unexpected HTTP requests to Oracle Payments interfaces
- Creation of new or altered user accounts
- Unauthorized changes to financial configuration
- Unusual outbound connections or file activity - If you find evidence of compromise, activate your incident response plan. A patch alone won’t evict an attacker who already has a foothold.
For KNX installations:
- Identify any deployments still using Connection Authorization Option 1. Consult device manufacturers or your KNX integrator to determine whether firmware updates that support KNX Secure protections are available.
- Immediately reduce network exposure. Place all building-automation and control-system networks behind firewalls and isolate them from the corporate network. If remote access is essential, use a properly configured VPN—and remember that a VPN is only as secure as its connected endpoints.
- Review logs from engineering workstations, building controllers, and firewalls for signs of lockout activity. This may require coordination with facilities and physical-security teams.
- Consider physical access controls: an attacker with physical access to a KNX device can also exploit this flaw, even without network connectivity.
For everyone—quick ownership checklist:
- Update your asset inventory to include every Oracle E-Business Suite instance and KNX-connected device, regardless of who manages it.
- Assign clear ownership for each asset class. Business applications, facilities, and IT security must coordinate rather than point fingers.
- Test your backup and recovery procedures. For KNX, this means ensuring you can restore configurations if devices are purged.
- Subscribe to CISA’s alerts and integrate KEV catalog updates into your vulnerability management process.
Outlook
CISA will continue to add actively exploited vulnerabilities to the KEV catalog. For Windows-centric organizations, the lesson is clear: the perimeter isn’t just your firewalls and endpoint fleet anymore. Critical business systems and operational technology often run on or connect to Windows infrastructure, and vulnerabilities there can have cascading effects. The Oracle flaw demands immediate patching and compromise review; the KNX flaw requires a longer-term hardening of building systems and better coordination with facilities owners. In both cases, treating any alert as “not my problem” is the fastest way to become the next headline.