Back to Blog
Threat Intelligence Incident Response Zero-Day

Oracle PeopleSoft under active attack: what CVE-2026-35273 means and what to do now

If you run Oracle PeopleSoft, patching is not your first question. It is your second. This pre-authentication remote code execution flaw was exploited as a zero-day for roughly two weeks before Oracle shipped an emergency fix.

June 19, 2026 · 10 min read · DEFION Respond Team

Article content

The short version

On 10 June 2026, Oracle published an out-of-band security alert for CVE-2026-35273: a CVSS 9.8 pre-authentication RCE in PeopleSoft Enterprise PeopleTools 8.61 and 8.62, exploited in the wild from late May. Roughly 300 instances across 100+ organizations were hit, two-thirds of them in higher education. If your PSEMHUB was internet-facing during that window, assume compromise and investigate — the patch alone is not a clean bill of health.

On 10 June 2026, Oracle published an out-of-band security alert for CVE-2026-35273, a critical flaw in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. The vulnerability carries a CVSS v3.1 score of 9.8 and is remotely exploitable over HTTP without any credentials and without user interaction. Successful exploitation gives an attacker remote code execution on the underlying server — in practice, full control.

Three things make this one worth dropping other work for:

  • 1. It was a zero-day. Exploitation was observed in the wild from late May 2026, before any fix existed.
  • 2. It is unauthenticated and network-reachable. Anything internet-facing is a candidate target.
  • 3. It hits high-value systems. PeopleSoft underpins HR, payroll, finance and campus operations — a compromise sits directly on top of sensitive personal and financial data.

Because exploitation ran for two weeks before the fix existed, applying the patch is necessary but it is not a clean bill of health. If your management endpoints were exposed during that window, the right default is to assume compromise and go looking — not to assume safety because the patch is now installed.

What is affected

Oracle lists PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 as affected. Earlier, out-of-support versions are likely vulnerable as well, but they fall outside Oracle's supported patch scope.

The flaw lives in the Environment Management component, frequently referred to as the Environment Management Hub or PSEMHUB. This is internal cluster plumbing. It was never meant to be reachable from untrusted networks, which is exactly why exposure of it is so damaging.

The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In plain terms: reachable over the network, low attack complexity, no privileges, no user interaction, and high impact across confidentiality, integrity and availability.

How the attack works

This is not a single bug. It is a chain, and understanding the chain is what tells you where to break it.

The Zero Day Initiative, which received the report from TrendAI and tracks it as ZDI-CAN-31817, classifies the root weakness as a server-side request forgery (CWE-918). The full sequence, as reconstructed by Mandiant and Trend Micro, runs roughly like this:

  1. 1 SSRF for access control bypass. A crafted HTTP request to the Integration Gateway listener at /PSIGW/HttpListeningConnector is abused to make the server issue an internal, loopback-style request to the management endpoint at /PSEMHUB/hub. Because the request now appears to originate from inside the cluster, perimeter authentication is sidestepped.
  2. 2 Unsafe Java deserialization. The PSEMHUB endpoint processes attacker-controlled input through an insecure deserialization routine built on java.beans.XMLDecoder. Vendor detection signatures reference this as a HubMBeanPersistance deserialization of untrusted data.
  3. 3 Code execution inside the JVM. Deserialization is steered toward process creation, ultimately reaching ProcessBuilder and executing operating system commands with the privileges of the PeopleSoft Java service.

The pattern rhymes with history. The /PSIGW/ listening connector path has appeared in PeopleSoft exploit research before, including the CVE-2013-3821 chain documented by Lexfo in 2017 and the related XXE issue CVE-2017-3548. The Integration Gateway has long been a soft underbelly when exposed.

Exploited in the wild, and by whom

Public reporting attributes the campaign to the extortion group ShinyHunters, tracked by Mandiant and Google Threat Intelligence Group as UNC6240. Exploitation was observed from as early as 27 May 2026 and continued until Oracle's 10 June patch closed the window.

The scale and targeting are notable. Mandiant reports that the campaign reached around 300 PeopleSoft instances across more than 100 notified organizations, with roughly two-thirds of victims in the higher education sector. Data stolen during the campaign began appearing on the ShinyHunters data leak site on 9 June 2026, one day before the public advisory. The vulnerability was added to the CISA Known Exploited Vulnerabilities catalog in mid-June, which puts US federal agencies on a fixed remediation clock and is a strong signal for everyone else.

After gaining a foothold, the operators were observed to:

  • Drop .jsp webshells under the PSEMHUB web root for hands-on access
  • Deploy MeshCentral as a persistent remote access mechanism
  • Trigger outbound SMB connections (TCP 445) from the PeopleSoft host to attacker infrastructure, capturing Windows machine-account NetNTLM hashes for lateral movement
  • Run lateral movement tooling and exfiltrate data, with compression observed via zstd

How to tell whether you are affected

Start with exposure, then go looking for evidence of use.

Exposure check. Confirm whether you run PeopleTools in the 8.6x line, and whether /PSEMHUB/hub or /PSIGW/HttpListeningConnector are reachable from the internet or from any untrusted network segment. External reachability of these paths is the core risk multiplier.

Indicators of compromise to hunt for:

  • External HTTP access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector in web and proxy logs between 27 May and 9 June 2026
  • Requests containing loopback addresses (127.0.0.1, localhost, ::1) or internal IP ranges in headers or parameters
  • Unexpected .jsp files under the PSEMHUB web root, or anomalous directories using blending names such as logs, persistantstorage, scratchpad
  • Modified XML metadata beneath envmetadata/data/environment/
  • Outbound SMB (TCP 445) from a PeopleSoft server to external destinations
  • OS processes spawned by the PeopleSoft JVM, or any sign of MeshCentral on the host

Patching closes the door, but it tells you nothing about whether someone already walked through it during the two-week zero-day window. If your PSEMHUB was exposed in that period, assume nothing and hunt.

What to do, in order

1. Patch. This is the priority.

Apply the fix from Oracle's June 2026 emergency alert and the associated Critical Patch Update to all PeopleTools 8.61 and 8.62 installations. Validate in a test environment first, then move to production quickly. Confirm the exact patch and Doc ID through My Oracle Support — out-of-band fixes are distributed there.

2. Reduce exposure as a temporary mitigation.

At the WAF or firewall, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector. End users reach PeopleSoft through other PIA routes, so this typically does not break normal usage. To break the SSRF pivot specifically, segment the gateway from the environment-management servlet so the PSEMHUB hub cannot be reached by a gateway-originated loopback request.

3. Cut the lateral movement path.

Block outbound SMB (TCP 445) from PeopleSoft servers to external destinations and alert on any such traffic. This both disrupts the NetNTLM capture technique and gives you a high-signal detection.

4. If you were exposed, investigate before you trust.

Run a forensic sweep for the indicators above, focusing on the document root, the PSEMHUB application path and the environment XML metadata. Reset service account credentials that the affected host had access to, and look for signs of credential theft and lateral movement beyond the initial server.

Need help with exposure assessment or incident response?

DEFION's Respond team handles fast-moving exposures like CVE-2026-35273 across the Netherlands and Spain — from threat hunting to full DFIR.

Contact the Respond team →

How DEFION can help

Our Respond team handles exactly this kind of fast-moving exposure, across the Netherlands and Spain:

  • Exposure assessment of your PeopleSoft estate against CVE-2026-35273, focused on internet and untrusted-network reachability of the affected endpoints.
  • Threat hunting across the 27 May to 9 June exploitation window, using the indicators above to determine whether exposure turned into compromise.
  • Patch and mitigation support, including validation that the fix and the network controls are actually doing what you think they are.
  • Incident response (DFIR) if suspicious activity is confirmed, from scoping and containment through eradication and recovery.

To get one of these moving, reply to your usual DEFION contact, or reach out to our Respond team directly.

References

This article is for informational purposes and reflects publicly available reporting at the time of writing. Verify patch identifiers and version specifics against Oracle's official advisories and My Oracle Support before acting.

Related services

Affected by CVE-2026-35273 or not sure?

DEFION helps organizations across the Netherlands and Spain assess exposure, investigate potential compromises, and respond to confirmed incidents.

Incident Response

Scoping, containment, eradication and recovery when compromise is confirmed

External Pentest

Validate what is actually reachable from the internet before an attacker does

Managed Detection & Response

24/7 monitoring to catch post-exploitation activity before it spreads
Get in touch