cbcvebase.
CVE-2026-35273
published 2026-06-11

CVE-2026-35273: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-06-15
Exploited in the wild
EPSS
92.33%
99.8th percentile
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclepeoplesoft_enterprise_peopletools
oraclepeoplesoft_enterprise_peopletools
oracle_corporationpeoplesoft_enterprise_peopletools
oracle_corporationpeoplesoft_enterprise_peopletools

Detection & IOCsextracted from sources · hover to see the quote

ip142.11.200.186
ip142.11.200.187
ip142.11.200.188
ip142.11.200.189
ip142.11.200.190
ip176.120.22.24
ip108.174.202.99
domainazurenetfiles.net
urlwss://azurenetfiles.net:443/agent.ashx
hashf02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc
hashd83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f
hashc7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f
hash68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309
filenamemeshagent64-azure-ops.exe
filenamemeshagent64-v2.exe
filenamemeshagent32-azure-ops.exe
filenameREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
path/PSEMHUB/hub
path/PSIGW/HttpListeningConnector
port445
commandpv -s "$(du -sb exfil | awk '{print $1}')" | zstd -3 -T0 -o exfil.tar.zst
commandnode meshctrl.js RunCommand --loginuser admin --loginpass '[password]' --id '[agent_id]' --run 'bash /tmp/[victim_abbreviation]_fanout.sh'
path/webserv//applications/peoplesoft/PSEMHUB.war/
path/envmetadata/data/environment/
  • Alert on HTTP POST requests from external source IPs to /PSEMHUB/hub and /PSIGW/HttpListeningConnector in WebLogic access logs.
  • Flag requests to /PSIGW/HttpListeningConnector containing loopback addresses or internal IP ranges in headers or parameters as potential SSRF exploitation.
  • Hunt for unexpected .jsp files under the PSEMHUB.war web application directory as indicators of post-exploitation webshell placement.
  • Hunt for unauthorized files or directories under PSEMHUB.war/envmetadata/transactions/ and unexpected directories named logs, persistantstorage, or scratchpad under PSEMHUB paths.
  • Hunt for recently created or modified .xml files under /envmetadata/data/environment/ which can be abused for XMLDecoder persistence that fires on the next server restart.
  • Detect presence of the extortion marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in PeopleSoft web and app server directories as a post-compromise indicator.
  • Detect MeshCentral agent binaries masquerading as Azure services (e.g., meshagent64-azure-ops.exe, meshagent32-azure-ops.exe) and C2 beaconing to azurenetfiles.net over WSS port 443.
  • TrendAI IPS Rule 1012580 and DDI Rule 5855 provide signature-based detection for the SSRF exploitation of CVE-2026-35273.
  • Mandiant warns that WAF body-inspection rules alone are insufficient for blocking exploitation of CVE-2026-35273 as they can be bypassed; network-level endpoint restriction is required.
  • ·Exploitation was observed against PeopleTools versions 8.61 and 8.62; Oracle notes earlier unsupported versions are also likely vulnerable.
  • ·Blocking /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter is considered non-breaking for standard end-user PIA browser sessions; these are administrative/system-to-system endpoints.
  • ·In multi-server configurations, the Environment Management Hub (EMHub) Service should be disabled; in single-server configurations, the PSEMHUB application should be completely removed as a compensating control.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.