CVE-2026-35273 Critical Patch Available

CVE-2026-35273: Oracle PeopleSoft PeopleTools — Missing Authentication Enabling Unauthenticated Takeover

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2026-35273
CVSS Score 9.8
Severity Critical
Vendor Oracle
Product PeopleSoft Enterprise PeopleTools
Patch Status Available
Published June 12, 2026
EPSS Score 0.0%
CISA Patch Deadline July 3, 2026

Executive Summary

CVE-2026-35273 is a critical missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools, carrying a CVSSv3.1 score of 9.8. Successful exploitation allows an unauthenticated remote attacker to achieve full takeover of the PeopleSoft environment, with demonstrated paths to remote code execution and data exfiltration.

Oracle issued an out-of-band security alert and patch on 10 June 2026 — two weeks after active exploitation was already underway. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog on 12 June 2026 with a mandatory remediation deadline of 15 June 2026 for federal agencies. The three-day deadline reflects the severity and ongoing exploitation activity. Known ransomware campaign use is confirmed.

Affected Versions

  • PeopleSoft Enterprise PeopleTools 8.61 — all patch sets prior to Oracle’s June 2026 out-of-band release
  • PeopleSoft Enterprise PeopleTools 8.62 — all patch sets prior to Oracle’s June 2026 out-of-band release

PeopleTools 8.60 and earlier are not listed as affected in Oracle’s advisory. Organisations running 8.61 or 8.62 in any configuration — on-premises or Oracle-hosted — should treat this as urgent.

Vulnerability Details

The flaw resides in the Updates Environment Management component of PeopleTools, specifically the Environment Management Hub (EMHub). Two endpoints are implicated in exploitation chains:

  • /PSEMHUB/hub — the Environment Management Hub listener
  • /PSIGW/HttpListeningConnector — the Integration Gateway HTTP listener

The root cause (CWE-306) is the absence of authentication enforcement on requests to these endpoints. An attacker who can reach them over the network — no credentials required — can interact directly with the management layer. Secondary classification as CWE-918 (Server-Side Request Forgery) reflects that one documented exploitation path uses the unauthenticated access to proxy requests through the server, reaching internal services and facilitating further exploitation.

The combination of unauthenticated access plus SSRF creates a path to RCE: attackers can leverage the Integration Gateway to interact with internal PeopleSoft application servers, chain additional requests, and ultimately achieve code execution in the context of the application service account. In enterprise deployments, the PeopleSoft service account typically has broad access to databases, LDAP directories, and connected ERP systems.

PeopleSoft environments commonly process HR records, payroll, financial transactions, and student data — making the data theft potential significant beyond RCE alone.

Exploitation in the Wild

Mandiant’s analysis established that exploitation began on or around 27 May 2026, approximately two weeks before Oracle’s advisory. This confirms zero-day exploitation: Oracle had no patch available when threat actors were already compromising systems.

ShinyHunters, a financially motivated threat actor known for large-scale data theft and extortion operations, is actively exploiting this vulnerability. The group’s documented pattern is to exfiltrate sensitive datasets and threaten public release unless ransoms are paid. In this campaign, ShinyHunters has targeted organisations with internet-exposed PeopleSoft environments, exfiltrating HR and student datasets.

Cl0p has also been attributed to exploitation of this vulnerability, consistent with the group’s pattern of rapidly operationalising high-profile enterprise application flaws (previous campaigns include MOVEit, GoAnywhere, and Accellion FTA). Cl0p typically favours mass exploitation of a vulnerability across many targets simultaneously before engaging in extortion — the tight CISA remediation deadline reflects awareness that such a campaign is likely underway or imminent.

Target sectors include higher education (PeopleSoft Campus Solutions), public sector HR, and large enterprise ERP environments. Government agencies subject to BOD 26-04 are explicitly named in CISA’s required action language.

Patch and Remediation

Oracle released an out-of-band security patch on 10 June 2026. This is separate from Oracle’s quarterly Critical Patch Update schedule — the out-of-band release signals Oracle’s own assessment of urgency.

Immediate steps:

  1. Apply Oracle’s out-of-band patch for CVE-2026-35273. The patch is available via Oracle Support (support.oracle.com) and the Oracle Security Alert advisory at https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

  2. If patching cannot be completed immediately, restrict network access to the vulnerable endpoints. The /PSEMHUB/hub and /PSIGW/HttpListeningConnector paths should not be accessible from untrusted networks. Place PeopleSoft web servers behind a WAF or access gateway with IP allowlisting where feasible.

  3. Review Oracle’s Forensics Triage Requirements guidance linked in the CISA KEV entry. Given the two-week pre-patch exploitation window, any organisation with internet-exposed PeopleSoft should assume potential compromise and conduct forensic review even if patched.

  4. Audit Oracle Support authentication requirements — the advisory links to Oracle Support sign-in (support.oracle.com), suggesting some workaround details may be behind the support portal.

No complete workaround exists that fully mitigates the vulnerability without patching. Network-layer controls reduce exposure but do not eliminate the authentication bypass if the endpoints remain accessible to any network path.

Detection

Log sources to review:

  • PeopleSoft web server access logs — look for unauthenticated POST or GET requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector from unexpected source IPs, particularly from external addresses or internal systems that should not be initiating integration requests
  • PeopleSoft application server logs — look for unusual internal requests initiated via the Integration Gateway
  • Network perimeter logs — unexpected outbound connections from PeopleSoft application or web server hosts may indicate post-exploitation activity (data exfiltration, C2 beaconing)
  • Database audit logs — unusual query patterns or bulk data retrieval from HR, payroll, or student tables may indicate exfiltration

IOCs:

ShinyHunters has historically used cloud storage infrastructure for staging exfiltrated data. Egress traffic from PeopleSoft hosts to cloud object storage endpoints (S3, Azure Blob) that is not part of expected backup or integration workflows warrants investigation.

SIEM query guidance:

Filter web server access logs for requests matching the pattern (/PSEMHUB/hub|/PSIGW/HttpListeningConnector) without a corresponding authenticated session. Pair with IP reputation lookups and volume analysis — mass exploitation typically produces request spikes from novel source IPs.

Given confirmed exploitation prior to patch availability, organisations should treat the detection scope as incident response scope: look for evidence of compromise, not just evidence of attempts.

Tags

oraclepeoplesoftpeopletoolsmissing-authenticationrcecisa-kevshinyhunterscl0pransomwareenterprise

Related Analysis

CVE-2026-10520 Critical

CVE-2026-10520: Ivanti Sentry — Pre-Authentication OS Command Injection (CVSS 10.0)

Ivanti

CVE-2026-11645 High

CVE-2026-11645: Google Chromium V8 Out-of-Bounds Read/Write — Actively Exploited Browser RCE

Google

CVE-2026-20245 High

CVE-2026-20245: Cisco Catalyst SD-WAN Manager CLI Command Injection — Unpatched Root Privilege Escalation

Cisco