PeopleSoft CVE-2026-35273 RCE by ShinyHunters (CVSS 9.8)

PeopleSoft CVE-2026-35273 RCE by ShinyHunters (CVSS 9.8)

On June 10th, 2026, Oracle publicly disclosed CVE-2026-35273, a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting its Oracle PeopleSoft PeopleTools application. This flaw has been assigned a CVSS score of 9.8, indicating maximum severity and a high potential for widespread impact if exploited. The vulnerability enables attackers to achieve complete control over affected PeopleSoft Enterprise PeopleTools installations without requiring any prior authentication.

Subsequent reporting on June 11th, 2026, from Mandiant and Google Threat Intelligence Group (GTIG) confirmed that CVE-2026-35273 had been actively exploited in the wild as a zero-day vulnerability. The exploitation campaign commenced at least two weeks prior to Oracle's public disclosure, beginning as early as May 27th, 2026. These attacks have been attributed to the financially motivated threat actor ShinyHunters.

ShinyHunters used this critical vulnerability as an initial access vector to compromise target organizations, with the primary objective of conducting data extortion. The confirmed exploitation shows organizations using Oracle PeopleSoft PeopleTools must immediately implement security patches or apply recommended mitigation strategies to prevent compromise.

What is CVE-2026-35273 and why is it critical?

CVE-2026-35273 is an unauthenticated Remote Code Execution (RCE) vulnerability impacting Oracle PeopleSoft PeopleTools with a CVSS score of 9.8. It is critical because it allows an attacker to execute arbitrary code on a vulnerable system without needing legitimate credentials or prior access. This leads to a complete compromise of the affected application and potentially the underlying server infrastructure.

The ability to achieve unauthenticated RCE is among the most severe types of vulnerabilities, as it significantly lowers the bar for attackers. For an attacker, successfully exploiting CVE-2026-35273 means gaining full control over the PeopleSoft Enterprise PeopleTools application. Attackers can then manipulate, exfiltrate, or destroy sensitive data managed by the system. They can also establish persistence within the network.

What impact does CVE-2026-35273 have on organizations?

The successful exploitation of CVE-2026-35273 can lead to a full takeover of PeopleSoft Enterprise PeopleTools, posing risks to data integrity, confidentiality, and availability. Organizations are primarily at risk of severe data breaches and subsequent extortion attempts, as observed in the ShinyHunters campaign. The threat actor's modus operandi focuses on exfiltrating sensitive data for monetary gain.

Specifically, the compromise of Oracle PeopleSoft systems, which often manage critical enterprise resource planning (ERP) functions such as human resources, finance, and student information, could expose a wide array of confidential data. This includes personally identifiable information (PII), financial records, employee data, and student academic details. The financial and reputational consequences of such a breach can be substantial, including regulatory fines, legal liabilities, and erosion of trust.

This vulnerability has affected over 100 global organizations, predominantly in the United States. 68% of these affected entities belong to the higher education sector. This sector's heavy reliance on ERP platforms like Oracle PeopleSoft for managing extensive student, financial, and HR datasets makes it a particularly high-value target for financially motivated groups like ShinyHunters who seek monetizable information.

How is CVE-2026-35273 being exploited?

CVE-2026-35273 is being actively exploited through unauthenticated Remote Code Execution, primarily via specially crafted HTTP POST requests. The attack vector specifically targets the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints within the Oracle PeopleSoft PeopleTools application. These endpoints, if vulnerable, can be used to execute arbitrary code on the underlying server.

The exploitation chain observed in the ShinyHunters campaign began as early as May 27th, 2026, demonstrating a period of zero-day exploitation before public disclosure. Following successful initial access through CVE-2026-35273, the threat actors deployed customized MeshCentral agents. These agents were often disguised as legitimate cloud endpoints to evade detection. The agents served as a backdoor for persistent access and allowed further malicious activities. For more technical details, see our prior analysis of CVE-2026-35273.

Once the MeshCentral agents were established, ShinyHunters used them to perform post-exploitation actions. These activities included running queries against compromised systems, moving laterally within the victim's network, and deploying custom scripts to exfiltrate data. The exfiltrated data was then posted on ShinyHunters' Data Leak Site (DLS) on June 9th, 2026. This concluded their data extortion efforts. Reports focusing on ShinyHunters exploiting the Oracle PeopleSoft zero-day provide information on this specific threat actor and their exploitation of Oracle PeopleSoft zero-day vulnerabilities.

The ShinyHunters threat group, active since 2019, is known for its financially motivated operations. Historically, their tactics have included social engineering and voice phishing (vishing) to gain initial access to enterprise environments, followed by data exfiltration for extortion. Using CVE-2026-35273 changes their initial access methods, as it incorporates a critical RCE zero-day to achieve their objectives. Our intelligence, including our prior analysis of CVE-2026-35273 and ShinyHunters' involvement, offers further insights into this campaign.

Which products are affected by CVE-2026-35273?

The vulnerability CVE-2026-35273 specifically impacts certain versions of Oracle PeopleSoft Enterprise PeopleTools. Organizations using these versions are at risk of exploitation and should prioritize patching or mitigation measures.

The affected product and its versions are:

• PeopleSoft Enterprise PeopleTools
• Version 8.61
• Version 8.62

No other products or versions were identified as affected in the provided research. Users of other PeopleSoft components or older/newer versions not listed above should still verify their patch status through official Oracle security advisories, though these specific versions are the focus of CVE-2026-35273.

Detection

Detecting exploitation attempts or successful compromise related to CVE-2026-35273 requires several approaches involving log analysis, network monitoring, and host-based forensics. Proactive detection is important because of the active exploitation observed.

Organizations should implement the following detection strategies:

• Audit PIA WebLogic Access Logs:
• Examine logs for HTTP POST requests directed at the following specific paths:
• /PSEMHUB/hub
• /PSIGW/HttpListeningConnector
• Focus on requests originating from external or untrusted source IP addresses. Unexpected POST requests to these internal-facing components from external sources are highly indicative of exploitation attempts.
• Monitor Outbound Network Traffic:
• Review outbound firewall logs and NetFlow data for outbound SMB traffic (TCP port 445).
• Specifically look for such traffic originating from PeopleSoft hosts directed towards untrusted or unusual external destinations. Outbound SMB from a PeopleSoft server is typically anomalous and could indicate lateral movement or data exfiltration.
• Conduct Forensic Audit of Web-Tier Filesystem:
• Perform a detailed forensic examination of the web-tier filesystem on PeopleSoft hosts.
• Look for newly created or modified files, especially executables, scripts, or configuration changes that are not part of legitimate PeopleSoft operations or patching. The presence of unauthorized MeshCentral agents or related artifacts would be a key indicator.
• Endpoint Detection and Response (EDR) Monitoring:
• Ensure EDR solutions are configured to detect and alert on suspicious process execution, particularly for unknown or customized agents like MeshAgent. Behavioral analysis on endpoints can often flag the deployment and activity of such tools.
• Threat Intelligence Hunt:
• Proactively hunt for known Indicators of Compromise (IoCs) associated with this exploitation campaign. These IoCs include specific IP addresses, domains, and file hashes used by ShinyHunters.

Indicators of Compromise (IoCs) Identified by GTIG

The following IoCs have been identified by Google Threat Intelligence Group (GTIG) as associated with ShinyHunters' exploitation of CVE-2026-35273:

Organizations should integrate these IoCs into their security information and event management (SIEM) systems, endpoint protection platforms, and network intrusion detection systems for immediate detection of current or past compromise attempts.

Remediation

Prompt remediation is important to mitigate the risks associated with CVE-2026-35273, especially given its active exploitation. Organizations should prioritize applying security patches or implementing solid workarounds.

The following remediation steps are recommended:

• Apply Official Security Patches:
• After conducting a thorough business impact review, apply the relevant security patches released by Oracle as soon as possible. These patches are designed to directly address the vulnerability within PeopleSoft Enterprise PeopleTools. Oracle's disclosure on June 10th, 2026, would include details on available patches.
• Implement Mitigation Steps (if immediate patching is not feasible):
• Disable the Environment Management Hub (EMHub) Service: Disabling this service can reduce the attack surface. Organizations should assess the operational impact before proceeding.
• Block External Network Access: Configure network firewalls or perimeter security devices to block external network access to sensitive PeopleSoft PeopleTools endpoints. Specifically, block access to:
• /PSEMHUB/hub/
• /PSIGW/HttpListeningConnector
• Restricting access to these paths at the network perimeter can prevent unauthenticated requests from reaching the vulnerable components.
• Enhanced Monitoring:
• In conjunction with patching or mitigation, organizations should intensify their monitoring efforts for all detection indicators outlined in the "Detection" section. This includes continuous auditing of WebLogic access logs, outbound network traffic for SMB, and filesystem integrity on PeopleSoft hosts.

Mitigation steps can reduce immediate risk, but they are temporary measures. Applying official security patches from Oracle is the definitive solution for CVE-2026-35273.

Technical Takeaways

• CVE-2026-35273 is a critical, unauthenticated Remote Code Execution (RCE) vulnerability in Oracle PeopleSoft PeopleTools with a CVSS score of 9.8.
• The vulnerability affects PeopleSoft Enterprise PeopleTools Version 8.61 and Version 8.62.
• The financially motivated threat actor ShinyHunters has actively exploited this flaw as a zero-day since at least May 27th, 2026, for data extortion.
• Exploitation involves HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector, followed by deployment of customized MeshCentral agents.
• Targeted organizations primarily include the higher education sector, because of their extensive ERP data.
• Remediation requires applying Oracle's security patches; temporary mitigations include disabling the EMHub Service and blocking external access to vulnerable endpoints.
• Detection efforts should focus on WebLogic access logs, outbound SMB traffic from PeopleSoft hosts, and forensic analysis for MeshAgent presence, incorporating known IoCs.