Thousands of businesses vulnerable to 'severe' Oracle EBS flaws
The suite of enterprise products can be exploited for financial fraud and theft


Security researchers at Onapsis have discovered a number of 'severe' vulnerabilities in Oracle's E-Business Suite (EBS) that could leave more than 21,000 organisations at risk of financial theft and fraud.
Oracle EBS has become a critical set of products that help to integrate customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management processes within a business.
The vulnerabilities have been given a CVSS score of 9.9 – only four other issues have been given the same a score since 2015, according to Onapsis, although many more have been assigned a score of 10.0 (highest).
Businesses could be exploited in two different scenarios, the first involving manipulation of the wire transfer payment system whereby an attacker can reroute invoice payments to a bank account of their choosing without leaving a digital footprint.
Attackers could also create and print genuine bank checks through the Oracle EBS check printing process, disabling and erasing audit logs to conceal rogue activity.
"This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world's largest and most relied upon organisations are vulnerable to attackers stealing potentially billions," said Mariano Nunez, CEO and co-founder of Onapsis to IT Pro.
"The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls."
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Onapsis researchers have been working with Oracle's Security Response Team in order to disclose the issues and create patches. The original vulnerabilities were patched in April 2018 but subsequent flaws have been patched as recently as April 2019. It's believed more than 21,000 Oracle EBS customers are still vulnerable to the attacks.
Oracle ran a simulation in 2017 of a realistic financial structure based on a large business with more than 25 years of experience with ERP deployments. Highlighting the risk these vulnerabilities present, the simulation found it was possible to process 1 million payments per hour.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Are chief AI officers here to stay?
In-depth Mainstay of the boardroom or short-term project leader, CAIOs are the subject of intense consideration
-
US companies dominate the European cloud market – regional players are left fighting for scraps
News Synergy data shows EU providers hold just 15% of the market despite rise in AI and drive for cloud sovereignty
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problem
News More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances