CVE-2026-35273
published 2026-06-11CVE-2026-35273: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-06-15
Exploited in the wild
EPSS
92.33%
99.8th percentile
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | peoplesoft_enterprise_peopletools | — | — |
| oracle | peoplesoft_enterprise_peopletools | — | — |
| oracle_corporation | peoplesoft_enterprise_peopletools | — | — |
| oracle_corporation | peoplesoft_enterprise_peopletools | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandnode meshctrl.js RunCommand --loginuser admin --loginpass '[password]' --id '[agent_id]' --run 'bash /tmp/[victim_abbreviation]_fanout.sh'↗
- →Alert on HTTP POST requests from external source IPs to /PSEMHUB/hub and /PSIGW/HttpListeningConnector in WebLogic access logs. ↗
- →Flag requests to /PSIGW/HttpListeningConnector containing loopback addresses or internal IP ranges in headers or parameters as potential SSRF exploitation. ↗
- →Hunt for unexpected .jsp files under the PSEMHUB.war web application directory as indicators of post-exploitation webshell placement. ↗
- →Hunt for unauthorized files or directories under PSEMHUB.war/envmetadata/transactions/ and unexpected directories named logs, persistantstorage, or scratchpad under PSEMHUB paths. ↗
- →Hunt for recently created or modified .xml files under /envmetadata/data/environment/ which can be abused for XMLDecoder persistence that fires on the next server restart. ↗
- →Detect presence of the extortion marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in PeopleSoft web and app server directories as a post-compromise indicator. ↗
- →Detect MeshCentral agent binaries masquerading as Azure services (e.g., meshagent64-azure-ops.exe, meshagent32-azure-ops.exe) and C2 beaconing to azurenetfiles.net over WSS port 443. ↗
- →TrendAI IPS Rule 1012580 and DDI Rule 5855 provide signature-based detection for the SSRF exploitation of CVE-2026-35273. ↗
- →Mandiant warns that WAF body-inspection rules alone are insufficient for blocking exploitation of CVE-2026-35273 as they can be bypassed; network-level endpoint restriction is required. ↗
- ·Exploitation was observed against PeopleTools versions 8.61 and 8.62; Oracle notes earlier unsupported versions are also likely vulnerable. ↗
- ·Blocking /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter is considered non-breaking for standard end-user PIA browser sessions; these are administrative/system-to-system endpoints. ↗
- ·In multi-server configurations, the Environment Management Hub (EMHub) Service should be disabled; in single-server configurations, the PSEMHUB application should be completely removed as a compensating control. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management).
ghsa_unreviewed·2026-06-11
CVE-2026-35273 [CRITICAL] CWE-306 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management).
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
VulnCheck
Oracle peoplesoft_enterprise_peopletools Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.8
CVE-2026-35273 [CRITICAL] Oracle peoplesoft_enterprise_peopletools Missing Authentication for Critical Function
Oracle peoplesoft_enterprise_peopletools Missing Authentication for Critical Function
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected: Oracle peoplesoft_enterprise_peopletools
Required Action: Apply remediations or mitigations per vendor instructions or discontinue
CISA
Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
cisa·2026-06-12·CVSS 9.8
CVE-2026-35273 [CRITICAL] CWE-306 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Vulnerability: Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Affected: Oracle PeopleSoft Enterprise PeopleTools
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating
No detection rules found.
Nuclei
Oracle PeopleSoft PeopleTools PSEMHUB - Pre-Auth Java Deserialization RCE
nuclei·CVSS 9.8
CVE-2026-35273 [CRITICAL] Oracle PeopleSoft PeopleTools PSEMHUB - Pre-Auth Java Deserialization RCE
Oracle PeopleSoft PeopleTools PSEMHUB - Pre-Auth Java Deserialization RCE
Oracle PeopleSoft PeopleTools 8.61 and 8.62 contain a remote code execution vulnerability in Updates Environment Management, letting unauthenticated network attackers fully compromise the system, exploit requires network access via HTTP.
Template:
id: CVE-2026-35273
info:
name: Oracle PeopleSoft PeopleTools PSEMHUB - Pre-Auth Java Deserialization RCE
author: DhiyaneshDk
severity: critical
description: |
Oracle PeopleSoft PeopleTools 8.61 and 8.62 contain a remote code execution vulnerability in Updates Environment Management, letting unauthenticated network attackers fully compromise the system, exploit requires network access via HTTP.
impact: |
Unauthenticated attackers can fully compromise PeopleSoft Enterpris
Hackernews
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
blogs_hackernews·2026-06-30·CVSS 9.8
CVE-2026-46817 [CRITICAL] Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber.
The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Payments that could be abused to take over susceptible instances.
"Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments," according to a description of the flaw in the NIST National Vulnerability Database (NVD
Tenable
Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)
blogs_tenable·2026-06-18·CVSS 9.8
CVE-2026-35273 [CRITICAL] Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)
## Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)
Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates.
## Key Takeaways
The June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates
122 issues (49.8% of all patches) were assigned a critical severity rating
Oracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patches
## Background
On June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026 . Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of
Checkpoint
15th June – Threat Intelligence Report
blogs_checkpoint·2026-06-15·CVSS 9.8
CVE-2026-35273 [CRITICAL] 15th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
The University of Nottingham, a UK research university, has suffered a data breach after ShinyHunters accessed its student records system. The incident affected about 454,600 current and former students and exposed contact details, passport numbers, enrollment information, and fee payment records later appeared online. According
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Rapid7
Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
blogs_rapid7·2026-06-12·CVSS 9.8
CVE-2026-35273 [CRITICAL] Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
## Overview
On June 10, 2026, Oracle published a security alert for CVE-2026-35273 , a critical vulnerability in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. Oracle released an out-of-band patch the same day as the advisory, underscoring the urgency of remediation. The vulnerability has a CVSSv3.1 score of 9.8 and is remotely exploitable without authentication. Per the vendor advisory, successful exploitation may result in remote code execution (RCE). TrendAI has classified the underlying flaw as a server-side request forgery ( CWE-918 ). PeopleTools versions 8.61 and 8.62 are affected.
CVE-2026-35273 was reported to Oracle through TrendAI's Zero Day Initiative. According to a report published by Mandiant on June 11, 2026, this vulnerability has been
Hackernews
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
blogs_hackernews·2026-06-12·CVSS 9.8
CVE-2026-35273 [CRITICAL] ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest.
Google's Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.
The flaw, CVE-2026-35273 , is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It needs n
Mandiant
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
blogs_mandiant·2026-06-11·CVSS 9.8
CVE-2026-35273 [CRITICAL] ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
## ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
## Mandiant
## Introduction
Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273 , a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component. The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day.
Upon becoming aware o
Bleepingcomputer
Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
blogs_bleepingcomputer·2026-06-11·CVSS 9.8
CVE-2026-35273 [CRITICAL] Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
## Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
## Lawrence Abrams
Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.
The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8.
"This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability," reads a new Oracle advisory.
"This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution."
Oracle has confirmed that th
2026-06-11
Published
2026-06-12
Added to CISA KEV
Exploited in the wild