CVE-2026-35273
Oracle PeopleSoft PeopleTools Unauthenticated Remote Code Execution Vulnerability | Active Exploitation
SimpleHelp has released patches for CVE-2026-48558, an authentication bypass vulnerability affecting deployments configured to use OpenID Connect (OIDC) authentication. The issue stems from how SimpleHelp validates identity provider assertions, Oracle has disclosed CVE-2026-35273, a critical unauthenticated remote code execution vulnerability affecting Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The flaw exists within the Updates Environment Management component and can be exploited remotely over HTTP without valid credentials. Successful exploitation may allow attackers to execute arbitrary code, take control of affected servers, access sensitive enterprise data, modify application logic, and disrupt critical business operations. Public reporting and threat intelligence indicate the vulnerability has already been exploited in the wild as a zero-day by the ShinyHunters threat group prior to Oracle’s advisory.
Technical Details
CVE-2026-35273 affects the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools.
Key characteristics include:
- Unauthenticated remote code execution
- Network exploitable over HTTP
- No user interaction required
- Low attack complexity
- Affects PeopleTools 8.61 and 8.62
- Can lead to complete server compromise
According to Oracle and threat intelligence reporting, exploitation allows attackers to gain control of vulnerable PeopleSoft environments, potentially exposing HR, payroll, financial, student, and operational data. The vulnerability requires only network access to a reachable PeopleSoft endpoint.
Stop Guessing, Start Proving
NodeZero® Proactive Security Platform — Rapid Response
A NodeZero Rapid Response test has been developed to safely validate whether this remote code execution vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.
- Run the Rapid Response test: Launch from the NodeZero platform to determine whether vulnerable PeopleSoft endpoints can be exploited.
- Patch immediately: Apply Oracle’s recommended mitigations and security updates for supported PeopleTools versions.
- Re-run the test: Confirm the vulnerability is no longer exploitable after remediation.
Indicators of Compromise
| Indicator | Type | Description |
| 142.11.200[.]186-190 | IP Address | Known attacker infrastructure associated with observed exploitation activity |
| 108.174.202[.]99 | IP Address | Known attacker infrastructure associated with observed exploitation activity |
| 176.120.22[.]24 | IP Address | Known attacker infrastructure associated with observed exploitation activity |
| UNC6240 (ShinyHunters) | Threat Actor | Group attributed to active exploitation campaign |
| May 27 – June 9, 2026 | Activity Window | Period during which exploitation activity was observed |
Threat intelligence from Google Cloud and Mandiant identified active compromise and extortion campaigns targeting Oracle PeopleSoft environments. Researchers observed exploitation activity prior to Oracle’s June 10, 2026 disclosure, confirming zero-day exploitation in the wild. ShinyHunters reportedly targeted approximately 300 PeopleSoft instances across more than 100 organizations. A publicly acknowledged victim was the University of Nottingham.
Affected versions & patch
Affected:
- Oracle PeopleSoft Enterprise PeopleTools 8.61
- Oracle PeopleSoft Enterprise PeopleTools 8.62
Patch:
- Apply Oracle’s security update and recommended mitigations immediately.
- Oracle advises customers running unsupported PeopleTools versions to upgrade to a supported release as soon as possible.
- Restrict access to Environment Management Hub (PSEMHUB) endpoints and ensure they are not exposed externally wherever possible.
Timeline
- May 27, 2026 – Earliest observed exploitation activity attributed to UNC6240 (ShinyHunters).
- June 9, 2026 – Latest date included in Mandiant and Google-observed exploitation activity prior to public disclosure.
- June 10, 2026 – Oracle published its Security Alert for CVE-2026-35273.
- June 11, 2026 – Multiple security researchers and media outlets reported active exploitation and victim disclosures.
- June 12, 2026 – Horizon3.ai released a NodeZero Rapid Response test for CVE-2026-35273
References
- BleepingComputer – Oracle Mitigates PeopleSoft Zero-Day Exploited in Data Theft Attacks
- Oracle Security Alert Advisory – CVE-2026-35273
- Oracle Security Blog – Security Alert CVE-2026-35273 Released
- NIST CVE-2026-35273
- Google Cloud / Mandiant – ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
- SecurityWeek – Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
- The Hacker News – ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities
- Help Net Security – Oracle PeopleSoft Servers Under Attack
