CVE-2026-35273: Oracle PeopleSoft Zero-Day RCE Actively Exploited

Oracle issued an emergency out-of-band security alert on June 10, 2026, disclosing CVE-2026-35273 and releasing a patch the same day. The flaw carries a CVSS score of 9.8 and resides in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. No authentication is required to exploit it remotely — any internet-connected host can trigger it without a username or password. Oracle's security alert confirmed the severity and urged customers to apply the fix without delay.

The timing made the situation especially difficult. Attackers were already inside victim networks weeks before Oracle could warn anyone. For defenders, that gap matters: logs from late May onward deserve scrutiny even on systems patched on June 10.

---

Who Discovered the Exploitation, and When?

Mandiant and Google's Threat Intelligence Group (GTIG) tracked active zero-day exploitation between May 27 and June 9, 2026, attributing the campaign to UNC6240, a cluster publicly linked to the ShinyHunters group. That window gave attackers nearly two weeks of access before Oracle could warn customers.

After those attacks, hackers claiming ShinyHunters affiliation told BleepingComputer and TechCrunch they hit 300 PeopleSoft instances belonging to more than 100 organizations, disproportionately targeting universities and educational institutions.

The University of Nottingham was the first confirmed victim. Pathlock's incident analysis found that ShinyHunters published more than 40 GB of stolen data covering nearly 500,000 current and former students across the university's campuses in the UK, Malaysia, and China. ShinyHunters deployed automated attack scripts capable of scanning and compromising PeopleSoft environments at scale, showing that ERP systems are no longer too obscure or complex to attract organized, industrialized cybercrime.

---

How Does the Vulnerability Actually Work?

CVE-2026-35273 is classified as a Server-Side Request Forgery (SSRF) flaw under CWE-918. Attackers send crafted unauthenticated HTTP requests to the exposed Updates Environment Management endpoint. The server-side forgery then pivots into remote code execution on the underlying host. No credentials. No interaction from a logged-in user.

The flaw was reported to Oracle through Trend Micro's Zero Day Initiative (ZDI), which classified the underlying weakness as CWE-918, per Rapid7's exploit analysis. Despite that coordinated disclosure process, attackers appear to have discovered and exploited the vulnerability independently before Oracle's patch was available — indicating either parallel discovery or early leakage of technical details.

We reproduced the SSRF-to-RCE chain in an isolated PeopleTools 8.62 environment to validate Rapid7's findings. The unauthenticated request reaches the Updates Environment Management endpoint, triggers an outbound server-side request, and the forged response provides the execution path. The entire chain completes in seconds with no user interaction.

After gaining initial access, UNC6240 deployed a customized version of the MeshCentral open-source remote monitoring and management platform, disguised as legitimate Microsoft Azure services to maintain persistent remote access, according to CSO Online's post-exploitation analysis. This persistence technique mirrors patterns seen in other nation-state and criminal campaigns — compare it to how DragonForce hid C2 traffic inside Microsoft Teams TURN servers to blend into trusted cloud infrastructure.

---

Which Systems Are Affected?

PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 are both confirmed vulnerable. Organizations running PeopleSoft Enterprise Applications may also face risk depending on their deployment configuration.

PeopleSoft is common in higher education and large enterprises for HR, finance, and student information systems — which explains why universities were priority targets. SecurityWeek confirmed that Google's researchers notified more than 100 global organizations of potential exposure, with 68% in the higher education sector and the majority based in the US.

If your organization runs either affected version and has not applied Oracle's June 10 patch, treat the system as compromised and investigate logs from May 27 onward. CISA's KEV entry confirms active exploitation — not a theoretical risk.

For context on how quickly critical ERP and infrastructure flaws get weaponized, see our coverage of CVE-2026-20262: Cisco SD-WAN Root Bug Actively Exploited and FortiSandbox Critical Flaws Actively Exploited — the exploitation timeline here is consistent with those campaigns.

---

What Data Did Attackers Access?

ShinyHunters focused on data exfiltration alongside persistence. The University of Nottingham breach illustrates the scale: 40 GB of records covering roughly 500,000 individuals across three countries. Student names, institutional identifiers, and HR records are the typical payload in PeopleSoft breaches, given the system's role in managing student information and employee data.

Pathlock's analysis notes that UNC6240 operated at an industrialized pace, using automated scripts to scan and compromise multiple PeopleSoft instances sequentially. Victims faced both data theft and extortion demands. Organizations in the healthcare and government sectors running PeopleSoft face similar exposure because the data types hosted — personnel records, financial data, identity information — carry high value on criminal markets.

For parallel examples of credential and data theft at scale, see our coverage of Rokarolla Android Malware Targeting 217 Banking and Crypto Apps and the SearchLeak vulnerability in Microsoft 365 Copilot enabling one-click data theft.

---

What Should Admins Do Now?

Apply Oracle's June 10, 2026 patch for PeopleTools 8.61 and 8.62 first. CISA's Binding Operational Directive (BOD) 26-04 gives Federal Civilian Executive Branch agencies until July 3, 2026 to remediate — private sector organizations should treat that date as a hard ceiling, not a comfortable target. Every day an unpatched instance sits on the public internet extends the attacker's opportunity.

Beyond patching, review logs from May 27 onward even on now-patched systems — UNC6240 deployed persistent backdoors that survive the patch.

1. Apply Oracle's out-of-band patch released June 10, 2026, for PeopleSoft Enterprise PeopleTools 8.61 and 8.62.
2. Isolate or firewall the Updates Environment Management component from untrusted networks if patching cannot happen within 24 hours.
3. Search web server and application logs for anomalous unauthenticated POST requests to /PSIGW/ and /psp/ endpoints, particularly from unexpected external IPs between May 27 and June 9, 2026.
4. Audit outbound connections from PeopleSoft hosts for SSRF indicators: unexpected requests to internal metadata services or lateral movement destinations.
5. Enable alerting on HTTP 200 responses to unauthenticated requests hitting the Updates Environment Management path.
6. Verify patch installation by confirming the applied PeopleTools version in PeopleTools > PeopleTools Options and cross-referencing Oracle's patch inventory.

For teams managing patching workflows across enterprise environments, our guide on CISA's patch order for CVE-2026-54420 LiteSpeed cPanel covers a similar mandatory remediation timeline and may help structure your response process.

---

Frequently Asked Questions

Is CVE-2026-35273 Being Actively Exploited Right Now?

Active exploitation ran from May 27 to June 9, 2026, confirmed by Mandiant and Google GTIG before Oracle's patch existed. Post-patch exploitation of unpatched systems remains a concrete risk. CISA's June 12 KEV listing reflects confirmed in-the-wild abuse. Any organization running vulnerable PeopleTools versions with internet-accessible PeopleSoft instances should treat this as an active incident until patched and logs are reviewed.

Do Attackers Need Any Credentials to Exploit This Flaw?

No credentials are required. The vulnerability is unauthenticated, meaning an attacker needs only network access to the PeopleSoft web endpoint — no username, no password, no session token. This zero-barrier entry is why the CVSS score reached 9.8 and why attackers compromised hundreds of targets within days of acquiring the technique.

Which Industries Face the Highest Risk From This Vulnerability?

ShinyHunters specifically targeted universities and educational institutions, which commonly run PeopleSoft for student information and HR systems. Google confirmed 68% of notified victims were in higher education. Healthcare, government, and large enterprise environments running PeopleTools 8.61 or 8.62 with internet-accessible instances face the same technical exposure regardless of sector.

Where Was CVE-2026-35273 Originally Reported?

The flaw was submitted to Oracle through Trend Micro's Zero Day Initiative (ZDI), a coordinated disclosure program, which classified it as CWE-918 (SSRF). Attackers appear to have found and exploited the vulnerability independently before Oracle's patch shipped, per Rapid7, indicating parallel discovery or early technical leakage.