Oracle Issues Urgent Security Alert for Critical PeopleSoft RCE Vulnerability

Oracle has released an urgent Security Alert for a critical PeopleSoft Enterprise PeopleTools vulnerability that can allow unauthenticated remote code execution.

The flaw is tracked as CVE-2026-35273 and affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Oracle says attackers can exploit it remotely over HTTP without credentials, which makes internet-facing PeopleSoft systems a high-priority patching target.

The NVD entry lists a CVSS 3.1 score of 9.8 and says successful exploitation can result in takeover of PeopleSoft Enterprise PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected.

CVE-2026-35273 Affects PeopleSoft Updates Environment Management

The vulnerability is in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. Oracle’s risk matrix lists HTTP as the affected protocol and marks the issue as remotely exploitable without authentication.

Attackers do not need a valid PeopleSoft account, and exploitation does not require user interaction. The CVSS vector shows network access, low attack complexity, no privileges required, no user interaction, unchanged scope, and high impact to confidentiality, integrity, and availability.

Oracle also warns that unsupported earlier releases were not tested for this alert. However, the company says earlier versions of affected releases are likely affected, so customers running older PeopleTools builds should upgrade to supported versions.

Item	Details
CVE	CVE-2026-35273
Product	Oracle PeopleSoft Enterprise PeopleTools
Component	Updates Environment Management
Affected versions	8.61 and 8.62
Attack vector	Network access over HTTP
Authentication required	No
CVSS score	9.8 critical
Known exploited	Listed by CISA

Google Says the Bug Was Exploited as a Zero-Day

Mandiant and Google Threat Intelligence Group say they observed an active compromise and extortion campaign targeting Oracle PeopleSoft application infrastructure between May 27 and June 9, 2026.

Because that activity happened before Oracle’s June 10 security alert, Google says attackers exploited the vulnerability as a zero-day. The activity was attributed to UNC6240, also known as ShinyHunters.

Google said it notified more than 100 global organizations whose IP addresses matched potentially vulnerable endpoints. Most were in the United States, and 68% operated in higher education.

Attackers Targeted PSEMHUB Endpoints

The exploitation activity aligned with attacks on Environment Management Hub, or PSEMHUB, endpoints. Google said the attacker infrastructure hosted customized MeshCentral agents that appeared to mimic legitimate cloud endpoints.

The campaign used those agents to run administrative commands and deploy scripts for lateral movement and defacement. Google also linked the activity to later data leaks published on the ShinyHunters data leak site on June 9, 2026.

The risk is significant because PeopleSoft environments often support human resources, finance, student systems, and other sensitive business operations. A takeover of PeopleTools could expose sensitive data, allow system changes, or disrupt core services.

Researchers Credited by Oracle

Oracle credited Bobby Gould of TrendAI Zero Day Initiative, Lucas Miller of TrendAI Research, and Minh Giang of TrendAI Zero Day Initiative for reporting CVE-2026-35273.

Trend Micro’s security note says successful exploitation can result in full takeover of PeopleSoft Enterprise PeopleTools, with high impact across confidentiality, integrity, and availability.

That impact profile is why administrators should treat the issue as more than a routine patch. A vulnerable internet-facing PeopleSoft instance can create a direct path into critical enterprise systems.

CISA Added the Vulnerability to KEV

The CISA KEV catalog now lists CVE-2026-35273 as a known exploited vulnerability. KEV listing means there is evidence of exploitation in the wild, not just a theoretical risk.

Organizations should apply Oracle’s patch and mitigation guidance as quickly as possible. Security teams should also review exposure at the network edge, especially for PeopleSoft systems reachable from the public internet.

Google’s hardening guidance recommends disabling the Environment Management Hub service in multi-server configurations or removing the PSEMHUB application in single-server configurations when possible.

• Apply Oracle’s available patch through the PeopleSoft patch availability documentation.
• Disable EMHub or remove PSEMHUB where the environment allows it.
• Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector.
• Check PIA WebLogic access logs for POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector.
• Review web-tier file systems for unexpected JSP files under the PSEMHUB application path.
• Upgrade unsupported PeopleTools releases to supported versions.

PeopleSoft Admins Should Patch and Hunt for Compromise

Oracle says customers should remain on actively supported versions and apply Critical Patch Updates, Critical Security Patch Updates, and Security Alerts without delay. Its PeopleSoft advisory links customers to patch and mitigation instructions through Oracle Support.

The Trend Micro advisory also recommends applying the available patch, keeping PeopleTools on supported versions, and restricting HTTP access to PeopleSoft environments from untrusted networks as a compensating control.

Security teams should not stop at patching. Since exploitation reportedly happened before public disclosure, organizations with exposed PeopleSoft infrastructure should review logs, check for suspicious files, and investigate unusual administrative activity during and after the May 27 to June 9 attack window.

FAQ