Oracle PeopleSoft PeopleTools Remote Code Execution Actively Exploited (CVE-2026-35273)
June 16th, 2026
Critical
Our Cyber Threat Intelligence Unit is monitoring an actively exploited remote code execution vulnerability in Oracle PeopleSoft PeopleTools, identified as CVE-2026-35273. This vulnerability allows remote, unauthenticated attackers to execute arbitrary code over a network, potentially leading to full system compromise. Mandiant and GTIG confirmed exploitation between May 27 and June 9, 2026, before Oracle’s June 10, 2026, Security Alert, which classified it as a zero-day at the time. The campaign, attributed to UNC6240 (also known as ShinyHunters), primarily targets higher education, which represents 68% of the more than 100 organizations notified. Organizations using PeopleTools versions 8.61 or 8.62 with internet-accessible PSEMHUB endpoints are at risk. Oracle has released a Security Alert with a patch and mitigation guidance, and recommends immediate implementation to reduce the risk of compromise.
Technical Details
Vulnerability Type: Remote Code Execution (RCE)
Underlying Mechanism: NVD currently maps the vulnerability to CWE-306 (Missing Authentication for Critical Function) per CISA-ADP. Public reporting from TrendAI Research characterizes the exploitation path as Server-Side Request Forgery (SSRF), leveraged to achieve RCE.
Severity: Critical
CVE ID: CVE-2026-35273
CVSS Score: 9.8
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.1)
Vulnerable Component: Updates Environment Management (Environment Management Hub — PSEMHUB)
Affected Versions: PeopleSoft Enterprise PeopleTools 8.61 and 8.62; earlier unsupported versions are also likely affected
Required Configuration for Exposure: PeopleSoft PeopleTools is accessible over a network reachable by attackers; the PSEMHUB endpoint is exposed to external or untrusted networks; the application is running a vulnerable configuration
Attack Chain:
Initial Access: Attacker identifies an internet-accessible PeopleSoft instance with PSEMHUB endpoints exposed
Reconnaissance: Attacker enumerates PeopleSoft services and locates /PSEMHUB/hub and /PSIGW/HttpListeningConnector
Exploitation: CVE-2026-35273 exploited without credentials via the Updates Environment Management component
Code Execution: Attacker executes commands on the target server at the privilege level of the application process
Persistence and C2: UNC6240 deployed customized MeshCentral agents masquerading as Microsoft Azure services (meshagent32/64-azure-ops.exe, meshagent64-v2.exe), hardcoded to C2: wss://azurenetfiles[.]net:443/agent.ashx
Lateral Movement: Custom propagation script ([victim]_fanout.sh) deployed via MeshCentral; performs SSH credential spraying against internal PeopleSoft nodes and drops extortion marker README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
Exfiltration and DLS Publication: Stolen data compressed using zstd and published to the ShinyHunters Data Leak Site on June 9, 2026; staging hosts show outbound SSH to 176[.]120[.]22[.]24
Observed Threat Activity:
Exploitation confirmed as a zero-day between May 27 and June 9, 2026; Oracle advisory published June 10, 2026
Campaign attributed to UNC6240 (ShinyHunters)
Stolen data published on the ShinyHunters DLS on June 9, 2026
Vulnerability is actively exploited in the wild
Vendor Guidance:
Oracle has issued an out-of-band Security Alert for CVE-2026-35273 including patch and mitigation guidance
Patches are available for supported versions (8.61, 8.62) via Oracle support documentation
Disable the EMHub service in multi-server configurations, or remove the PSEMHUB application in single-server configurations
If disabling is not feasible, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter
Earlier, unsupported versions should be upgraded to a supported version to receive patches and mitigations
Impact
The vulnerability is remotely exploitable over a network and does not require authentication, making internet-facing PeopleSoft deployments a high-value target for threat actors.
Exploitation could lead to service disruptions, system instability, application outages, and business continuity impacts, particularly for organizations that rely on PeopleSoft for critical operational functions.
Organizations may face compliance and regulatory risks if sensitive data is compromised, including potential violations of data protection requirements, breach notification obligations, and associated legal or financial penalties.
Additional impacts may include remediation costs, incident response expenses, financial losses resulting from operational disruption, and reputational damage stemming from public disclosure of a compromise or data breach.
Given reports of active exploitation by the ShinyHunters threat group, organizations should prioritize patching, implement Oracle-recommended mitigations, and review internet-facing PeopleSoft instances to reduce the risk of compromise.
Risk of data corruption if exploited, leading to unauthorized data modifications.
Detection Method
Oracle's vendor advisory for CVE-2026-35273 does not currently provide detailed detection guidance. The following opportunities are based on analyst recommendations and publicly reported threat activity and hardening guidance associated with this campaign.
Monitor Oracle PeopleSoft, web server, and application logs for unusual requests targeting PeopleTools components, especially those originating from external IP addresses without corresponding authentication activity or containing abnormal parameters and encoded payloads.
Monitor HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector from external or untrusted IPs, including requests containing loopback or internal IP ranges as potential SSRF indicators.
Review web server and application logs for repeated access attempts to PeopleSoft endpoints, unusual HTTP methods, abnormal URL structures, excessive HTTP 500-series responses, or successful responses following suspected exploitation attempts.
Review EDR, Sysmon, and operating system logs for suspicious child processes spawned by PeopleSoft application services, Java processes, or web server processes. Key telemetry includes Sysmon Event ID 1 (process creation) and Event ID 3 (network connections).
Monitor outbound firewall logs and NetFlow for SMB traffic (TCP 445) originating from PeopleSoft servers to external destinations, including any connections to azurenetfiles[.]net or the staging IP range 142[.]11[.]200[.]186–142[.]11[.]200[.]190.
Inspect firewall, IDS/IPS, proxy, and network telemetry for outbound connections from PeopleSoft application servers to previously unseen external IPs or domains, which may indicate payload retrieval, command-and-control activity, lateral movement, or data exfiltration.
Monitor authentication and audit logs for unexpected administrative account creation, privilege escalation, unauthorized configuration changes, anomalous access from unfamiliar IP addresses or geographic locations, or access patterns consistent with MeshCentral-based remote administration.
Monitor file integrity and endpoint telemetry for unauthorized changes to PeopleSoft application files, configuration files, deployment artifacts, scripts, and temporary directories that may indicate persistence mechanisms or post-exploitation activity.
Conduct host-level filesystem auditing on PeopleSoft web-tier hosts for the following compromise indicators:
unexpected .jsp files under <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ that are not part of the shipped product;
unauthorized files or binary drops under PSEMHUB.war/envmetadata/transactions/;
unexpected directories named logs, persistantstorage, or scratchpad under PSEMHUB paths;
recently created or modified .xml files under <docroot>/envmetadata/data/environment/, which may be leveraged for XMLDecoder-based code execution upon application restart.
Indicators of Compromise
Type | Indicator | Description |
File Hash | 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 | Attacker command history |
File Hash | f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc | Pre-configured Windows agent |
File Hash | d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f | Pre-configured Windows agent |
File Hash | c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f | Pre-configured Windows agent |
File Hash | 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309 | Unconfigured Linux agent |
IP Address | 142[.]11[.]200[.]186 | Attacker staging server |
IP Address | 142[.]11[.]200[.]187 | Attacker staging server |
IP Address | 142[.]11[.]200[.]188 | Attacker staging server |
IP Address | 142[.]11[.]200[.]189 | Attacker staging server |
IP Address | 142[.]11[.]200[.]190 | Attacker staging server |
Domain | azurenetfiles[.]net | MeshCentral C2 masquerading as Microsoft Azure NetApp Files |
Filename | README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Defacement and extortion marker |
Filename | [victim_abbreviation]_fanout.sh | Lateral movement propagation script |
Recommendations
Apply Oracle security guidance for CVE-2026-35273, including all relevant patches and mitigations. Ensure PeopleSoft environments are updated to supported PeopleTools 8.61.x or 8.62.x levels with the latest Oracle CPU and PUM images applied.
Restrict external exposure of PeopleSoft services by enforcing network segmentation, VPN-based access, IP allowlisting, and firewall controls. Limit internet access to only required and hardened web tiers.
Perform retrospective log analysis from at least May 27, 2026 onward across web server logs, application logs, authentication records, and network traffic to detect exploitation attempts or anomalous activity.
Conduct compromise assessment on PeopleSoft infrastructure to identify post-exploitation indicators such as web shells, unauthorized file changes, persistence mechanisms, suspicious processes, and abnormal outbound connections.
Initiate incident response procedures if any indicators of compromise are detected, including system isolation, forensic collection, root cause analysis, credential rotation, and recovery validation.
Conclusion
The active exploitation of CVE-2026-35273 highlights the significant risk posed by unauthenticated remote code execution vulnerabilities in critical enterprise applications such as Oracle PeopleSoft PeopleTools. Given the public disclosure of successful exploitation and Oracle's issuance of a Security Alert with patch and mitigation guidance, organizations should immediately apply available patches, implement vendor-recommended mitigations, restrict exposure of internet-facing PeopleSoft services, and conduct comprehensive reviews of application, authentication, and endpoint logs for evidence of compromise.