Oracle broke its quarterly patch cadence on June 10 to push an out-of-band Security Alert for CVE-2026-35273, an unauthenticated remote code execution flaw in PeopleSoft Enterprise PeopleTools. A day later, Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild, and the ShinyHunters extortion crew is claiming it has already breached more than 100 organizations and stolen data from roughly 300 PeopleSoft instances. If you run PeopleSoft anywhere a hostile network can reach it, stop reading the rest of your backlog and deal with this.

The bug

CVE-2026-35273 lives in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. Oracle scores it CVSS 9.8 with the vector AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H — network attack vector, low complexity, no privileges, no user interaction, total impact across confidentiality, integrity, and availability. An unauthenticated attacker only needs HTTP access to a vulnerable instance. Oracle’s own language calls it “easily exploitable,” and successful exploitation results in complete takeover of the PeopleSoft environment.

Affected releases are PeopleTools 8.61 and 8.62. Oracle warns that earlier and unsupported versions are likely vulnerable too, even though they were not formally tested — so if you are sitting on an out-of-support 8.5x line, assume you are in scope rather than hoping you aren’t. The flaw was reported by researchers at TrendAI Zero Day Initiative and TrendAI Research.

One wrinkle worth flagging for planning: the alert links to a “patch availability document” that is gated behind an Oracle support account, and at publication time it is unclear whether a complete patch has actually shipped or whether Oracle is currently offering mitigations only. Treat the support-portal document as the source of truth for your version and confirm what you are actually applying.

Why it matters

PeopleSoft is the connective tissue of HR, payroll, financials, and student-records systems at a large share of universities, government bodies, and enterprises. These are exactly the deployments that run on long change-management cycles, sit on internet-reachable portals for self-service access, and store enormous volumes of personal data. A pre-auth, no-interaction RCE against that footprint is close to a worst case.

The exploitation is not theoretical. ShinyHunters told Bleeping Computer it has been breaching PeopleSoft servers — on-prem and cloud alike — using what it described as a “gadget chain” of old and zero-day vulnerabilities, with educational institutions making up most of the victims. Among the confirmed casualties is the University of Nottingham, which acknowledged a security incident and notified affected students after the group leaked tens of gigabytes of data, including personal details and academic records for close to half a million current and former students.

A threat researcher corroborated the campaign after finding the attackers’ own exposed directories. The tooling shows operators who know PeopleSoft cold: harvesting credentials straight out of psappsrv.cfg (the application-server config), mapping connected nodes, and fingerprinting the web, app, and batch tiers. A purpose-built shell script (uon_fanout.sh) sprayed defacement markers across PeopleSoft infrastructure, and a /pay_or_leak endpoint hosted stolen data from 20-plus organizations, several not yet publicly named.

Am I affected?

You are in scope if you run PeopleSoft Enterprise PeopleTools 8.61 or 8.62 — or any earlier version — with the management interface reachable from an untrusted network. Triage:

  • Inventory every PeopleSoft instance and check the PeopleTools release against Oracle’s alert. Don’t forget DR, test, and clone environments; attackers don’t.
  • Identify which instances expose web or PIA endpoints to the internet. Anything internet-facing is a priority-one finding.
  • Hunt for compromise already underway: unexpected reads or modifications of psappsrv.cfg, unfamiliar processes spawned by the app-server account, new or altered files in deployment directories, defacement markers, and outbound connections to unknown hosts.

Mitigation

  1. Apply Oracle’s fix immediately. Log into your support account, pull the patch-availability document for your exact PeopleTools version, and apply whatever Oracle has released. This is the priority-one action.
  2. Get the interface off the open internet. If you cannot patch this hour, restrict network access to PeopleSoft PIA and management endpoints to a VPN or trusted management segment. A pre-auth RCE behind a network ACL is a far smaller fire.
  3. Rotate everything the app server can see. Assume psappsrv.cfg credentials, integration-broker secrets, and connected-node accounts are compromised on any exposed instance, and rotate them.
  4. Threat-hunt against the published IOCs. The researcher who mapped the campaign posted attacker IPs and domains; feed them into your SIEM and EDR and look backward, not just forward — exploitation predates the alert.

ShinyHunters has been running this for days, the alert is out, and a working chain is in active use. The window to patch ahead of the attackers has, for many shops, already closed — so pair patching with a compromise assessment rather than assuming a clean bill of health.

References