Oracle PeopleSoft Zero-Day CVE-2026-35273 Hits Universities
top of page
Search

Oracle PeopleSoft Zero-Day CVE-2026-35273 Hits Universities

  • 1 day ago
  • 6 min read
Oracle PeopleSoft Zero-Day


CVE-2026-35273 is a critical (9.8) remote code execution flaw in Oracle PeopleSoft PeopleTools. The ShinyHunters extortion crew exploited it as a zero-day from May 27 to June 9, 2026 — before Oracle's June 10 advisory. Google's Mandiant notified more than 100 organizations; 68% were in higher education.


What happened with the Oracle PeopleSoft zero-day?


Attackers exploited a previously unknown flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. Google's Mandiant attributes the campaign to the extortion group it tracks as UNC6240, widely known as ShinyHunters, and dates the activity from May 27 to June 9, 2026. Oracle did not publish its advisory until June 10, so the bug was a true zero-day the entire time.


The vulnerability, CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It needs no login and no user interaction — just network access over HTTP — to take over the server. Mandiant CTO Charles Carmakal confirmed the flaw is being exploited in the wild. Oracle has not said whether it has observed exploitation itself. Affected versions include PeopleTools 8.61 and 8.62, with Oracle noting that earlier, unsupported releases are probably vulnerable too.


The damage is already concrete. Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints, and 68% of them were in higher education, most in the United States. The University of Nottingham is one of the first confirmed victims: Have I Been Pwned has counted roughly 455,000 unique email addresses in the leaked set, covering current students and alumni along with names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities.


Why does a two-week exposure window matter more than the patch?


Because for those two weeks, patching was not an option that existed — and that is the part most coverage underplays. From May 27 to June 10, no fix was available from Oracle. Any organization whose entire vulnerability strategy is "apply patches quickly" had zero protection during the exact window attackers were active. The orgs that came through clean did so on the strength of controls that have nothing to do with patch speed.


This is the distinction a vCISO draws constantly, and it is the one boards most often miss. Patch management answers the question "how fast do we fix known bugs?" Exposure management answers a different and more important one: "what of ours is reachable from the internet, and would we even know if it were attacked?" The first question had no good answer here. The second one decided who got breached.


The same lesson showed up in the attackers' own behavior. The campaign was discovered in part because the attackers left their staging servers exposed, and Mandiant warned that web application firewall (WAF) body-inspection rules alone are not enough, since they can be bypassed. A control you have not tested against bypass is a control you are assuming works. Exposure management is the discipline of removing those assumptions before an incident does it for you.


How did ShinyHunters get in?


The flaw sits in the Updates Environment Management component behind the PeopleSoft Environment Management Hub, known as PSEMHUB. When that hub is reachable from outside the network, an unauthenticated attacker can send crafted HTTP requests to take control of the server. After gaining access, the ShinyHunters operators deployed custom remote-management agents disguised as Microsoft Azure binaries, calling home to a command-and-control domain (azurenetfiles.net) chosen to look like a legitimate Azure service.


From there a lateral-movement script sprayed a hardcoded list of usernames and passwords against internal hosts, compressed the stolen data, and pushed it out to the group's leak-site infrastructure. The takeaway for a non-specialist: a single internet-facing component, left reachable when it did not need to be, was enough to expose an entire data-rich environment. The exploit did not need a password because the exposure handed it everything else.


Who is most exposed, and what changes by size and sector?


Any organization running on-premises PeopleSoft with the Environment Management Hub reachable from the internet is exposed — but the practical risk and the right response shift by sector and size. Higher education absorbed 68% of the notifications in this campaign, and that is not a coincidence: universities run large, long-lived PeopleSoft deployments for HR, finance, and student records, often with lean security teams and a culture of broad network access.


If you are a university or a large non-profit running on-prem ERP, treat internet-facing PeopleSoft endpoints as the single most urgent thing on your risk register this month. If you are a mid-market business that inherited PeopleSoft through an acquisition or a legacy HR system, the first question is simpler and more uncomfortable: do you even have an accurate inventory of what is exposed? In a surprising number of cases the answer is no, which is exactly how an avoidable exposure survives for years.


This is the kind of situation where a fractional CISO or vCISO earns the engagement — not by patching faster than your IT team, but by forcing the exposure-management question onto the table before an extortion crew asks it for you. The first 72 hours of a response like this are about scoping reachability and hunting for an existing compromise, and an experienced incident responder runs that drill from memory.


What should your organization do?


If you run Oracle PeopleSoft, treat the Environment Management Hub as your first priority and confirm whether it is reachable from outside your network. Oracle's own guidance, paired with Mandiant's detection advice, gives a clear sequence. The actions below are drawn directly from those advisories — do not improvise around them.


•       Restrict exposure first. On multi-server setups, disable the Environment Management Hub service; on single-server setups, remove the PSEMHUB application outright. If you can do neither immediately, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter. Mandiant notes this does not break normal user sessions.

•       Do not rely on a WAF alone. Mandiant explicitly warns that body-inspection rules can be bypassed, so a web application firewall rule is a supplement, not the fix.

•       Hunt for an existing compromise. Review WebLogic access logs for external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector, look for unexpected .jsp files or odd folders under the PSEMHUB directories, check for recently changed XML files under the environment metadata path, and watch for unusual outbound SMB traffic on port 445 from PeopleSoft hosts.

•       Apply Oracle's update once you confirm it is available for your PeopleTools version in My Oracle Support, then validate it actually deployed.


If you find evidence of intrusion — or you simply cannot answer the exposure question with confidence — that is the point to bring in dedicated incident response and risk assessment support rather than working it part-time around your day job. ShinyHunters has said victim outreach has only just started and that it has not yet posted most of the organizations it claims, so the list of named victims is likely to grow.


Frequently asked questions


Is there a patch for CVE-2026-35273 yet?

Oracle published its advisory on June 10, 2026 and points to a patch availability document behind a support login, but whether a full fix is broadly available is not yet clear. For now the practical guidance centers on mitigation: disable or remove the Environment Management Hub, or block its endpoints at the perimeter, then apply the update once you confirm it exists for your PeopleTools version in My Oracle Support.


How do I tell if my PeopleSoft server was exposed?

Your exposure comes down to one question: is the Environment Management Hub (PSEMHUB) reachable from the internet? If external requests can reach /PSEMHUB/hub or /PSIGW/HttpListeningConnector, that is your attack surface. Check your WebLogic access logs for external POST requests to those paths, which is one of the indicators Mandiant flagged as a sign of exploitation.


Why were so many universities affected?

Higher education made up 68% of the organizations Mandiant notified. Universities tend to run large, long-standing on-premises PeopleSoft systems for HR, finance, and student records, frequently with lean security staffing and broad internal network access. That combination — a data-rich, internet-adjacent ERP and limited monitoring — is exactly what an extortion group looks for.


We're a mid-market company, not a university. Does this still matter?

Yes, if you run on-prem PeopleSoft or inherited it through an acquisition. The threat actor targeted an internet-facing component, not a specific industry. The deciding factor was reachability and monitoring, not sector. If you cannot produce an accurate inventory of which of your systems are exposed to the internet, this campaign is a direct argument for fixing that gap now.


Get ahead of the next zero-day exposure

Zero-days like CVE-2026-35273 are decided in the window before a patch exists — by whether you know what is exposed and whether you would notice an attack in progress. Purple Shield Security is an independent, vendor-neutral firm that helps small, mid-market, and regulated organizations answer those questions before an incident forces the issue. If you want a second set of eyes on your exposure and your response readiness, that is a conversation worth having.


By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: June 12, 2026

Last updated: June 12, 2026

 
 
bottom of page