CISA Warns Oracle PeopleSoft Zero-Day Is Being Exploited in Attacks
6 min. read 
Published on
CISA has added CVE-2026-35273, a critical Oracle PeopleSoft PeopleTools vulnerability, to its Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild.
The flaw affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Oracle says in its security alert that attackers can exploit the issue remotely without authentication and may achieve remote code execution.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The CISA Known Exploited Vulnerabilities catalog lists the flaw as an Oracle PeopleSoft Enterprise PeopleTools missing authentication vulnerability. Federal civilian agencies had a June 15, 2026 deadline to apply mitigations under CISA’s risk-based update requirements.
Oracle PeopleSoft Flaw Enables Remote Takeover
CVE-2026-35273 sits in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. The issue falls under CWE-306, which means a critical function lacks proper authentication.
The NVD entry gives the vulnerability a CVSS 3.1 score of 9.8 out of 10. The attack requires network access over HTTP, but it does not require a valid login or user interaction.
Successful exploitation can let an attacker compromise the PeopleTools environment. For organizations that run PeopleSoft for HR, finance, student systems, procurement, or other core business functions, that creates a direct path to sensitive data and internal systems.
| Detail | Information |
|---|---|
| CVE | CVE-2026-35273 |
| Product | Oracle PeopleSoft Enterprise PeopleTools |
| Affected versions | 8.61 and 8.62 |
| Component | Updates Environment Management |
| Attack type | Unauthenticated remote code execution |
| CVSS score | 9.8 critical |
| CISA status | Known exploited vulnerability |
Google Links the Exploitation to ShinyHunters
Mandiant and Google Threat Intelligence Group said in a Google Cloud threat report that they identified an active compromise and extortion campaign targeting Oracle PeopleSoft application infrastructure.
The activity took place between May 27 and June 9, 2026, before Oracle published its June 10 advisory. That means attackers exploited the vulnerability as a zero-day during the observed campaign.
Google attributes the activity to UNC6240, which it also identifies as ShinyHunters. The attackers focused heavily on higher education, with 68% of the more than 100 notified organizations operating in that sector.
Attackers Targeted PeopleSoft Environment Management Endpoints
Google says the exploitation aligned with targeting of PeopleSoft Environment Management Hub endpoints, including PSEMHUB. The attackers also used customized MeshCentral agents disguised as legitimate cloud endpoints to run administrative commands.
The same report says the campaign correlates with stolen organization data later published on the ShinyHunters data leak site on June 9, 2026. That makes the activity more than a scanning event or isolated proof-of-concept use.
A Rapid7 analysis also notes that Oracle released an out-of-band patch on June 10 and that the exploitation window began before the vendor advisory.
Why CISA’s Warning Raises the Urgency
CISA adds vulnerabilities to its KEV catalog only after evidence shows active exploitation. The agency also flags whether a vulnerability has known ransomware use, which helps organizations prioritize patching beyond CVSS scores alone.
In this case, CISA’s entry orders agencies to apply vendor mitigations, follow BOD 26-04 guidance, use forensics triage requirements, and discontinue use of the product if mitigations are not available.
The CISA KEV listing should also matter to private organizations. PeopleSoft servers often sit close to financial, employee, student, and identity data, so a successful exploit can create both data theft and ransomware risk.
What Oracle PeopleSoft Administrators Should Do Now
Oracle urges customers to apply the available security updates and mitigations without delay. The company also recommends that customers stay on actively supported product versions because older unsupported releases may not receive tested fixes.
Administrators should not treat patching as the only step. Any internet-facing PeopleSoft instance that exposed Environment Management Hub or related endpoints during late May or early June should go through compromise assessment.
The Google Cloud guidance recommends disabling the Environment Management Hub service in multi-server configurations or removing the PSEMHUB application in single-server configurations where possible.
- Apply Oracle’s CVE-2026-35273 patch or mitigation immediately.
- Disable the Environment Management Hub service if it is not required.
- Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector.
- Review PeopleSoft PIA WebLogic access logs for suspicious POST requests.
- Search for unexpected .jsp files under PSEMHUB.war paths.
- Review outbound SMB traffic from PeopleSoft servers to untrusted destinations.
- Inspect systems for unexpected MeshCentral agents or administrative scripts.
- Preserve logs before rebuilding or modifying suspected compromised systems.
Signs of Possible PeopleSoft Compromise
Security teams should check more than login activity. This vulnerability does not require authentication, so traditional failed-login monitoring may miss important signs.
Defenders should look for unexpected files under PeopleSoft web-tier directories, suspicious web requests to Environment Management endpoints, outbound connections to attacker infrastructure, abnormal administrator command execution, and data staging activity.
The NVD listing confirms the vulnerability can lead to PeopleTools takeover, with high impact to confidentiality, integrity, and availability. That impact profile matches the type of access threat actors need for extortion operations.
| Area to review | What to look for |
|---|---|
| Web access logs | POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector from external IPs |
| Web-tier filesystem | Unexpected .jsp files or new directories under PSEMHUB.war paths |
| Endpoint tools | MeshCentral agents or unknown remote administration utilities |
| Network traffic | Outbound SMB traffic from PeopleSoft servers to untrusted destinations |
| Identity systems | New accounts, changed privileges, or unusual administrator sessions |
Containment Should Start Before Full Investigation Ends
Organizations that find signs of exploitation should isolate affected PeopleSoft servers, preserve forensic evidence, rotate credentials, and review downstream systems that trust PeopleSoft data or authentication flows.
Because PeopleSoft often handles HR, payroll, finance, or student records, security teams should also involve legal, compliance, and privacy teams early. Data theft and extortion claims may require notification decisions even if ransomware encryption did not occur.
Rapid7 says in its PeopleSoft zero-day analysis that organizations should prioritize patching and review Mandiant’s detection and hardening guidance, especially if PeopleSoft endpoints faced the internet during the exploitation window.
PeopleSoft Zero-Day Shows Why Internet Exposure Matters
CVE-2026-35273 gives attackers a high-impact path into enterprise application infrastructure when vulnerable PeopleSoft components face the internet. The flaw requires no credentials, no user interaction, and low attack complexity.
The Oracle advisory confirms the affected versions and warns that earlier unsupported versions may also be affected. Organizations still running unsupported PeopleTools builds should treat that as a separate security risk.
For now, the safest approach is direct. Patch or mitigate the flaw, restrict external access to PeopleSoft management endpoints, run forensics on exposed systems, and prepare for possible extortion response if logs show compromise.
FAQ
CVE-2026-35273 is a critical Oracle PeopleSoft Enterprise PeopleTools vulnerability in the Updates Environment Management component. It allows unauthenticated remote attackers with network access over HTTP to compromise affected PeopleTools systems.
Oracle lists PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 as affected. Oracle also warns that earlier unsupported versions may be affected because they are not tested under the same support process.
Yes. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog, and Google/Mandiant reported exploitation between May 27 and June 9, 2026, before Oracle released its advisory.
Google/Mandiant attributes the observed extortion campaign to UNC6240, also known as ShinyHunters. The campaign heavily targeted the higher education sector, especially organizations in the United States.
Administrators should apply Oracle’s patch or mitigation, block external access to PSEMHUB and related PeopleSoft endpoints, review access logs, check web-tier files for unexpected .jsp files, inspect for MeshCentral agents, and preserve forensic evidence if compromise is suspected.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages