Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation

Executive Summary

Oracle Security Advisory documents CVE-2026-35273, a critical remote code execution (RCE) vulnerability in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. On affected systems, unauthenticated remote attackers can execute arbitrary code on the underlying server via crafted HTTP requests to the PeopleSoft Environment Management Hub (PSEMHUB) Oracle Security Alerts.

Google Mandiant reports active zero-day exploitation of this vulnerability by the threat actor group ShinyHunters (tracked as UNC6240) between May 27, 2026, and June 9, 2026, targeting over 100 organizations with 300 PeopleSoft instances. Approximately 68% of the affected entities were in the higher education sector Mandiant Blog. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-06-12, with a federal due date of 2026-07-03 CISA KEV.

Key Facts

cve: "CVE-2026-35273"
vendor: "Oracle"
product: "PeopleSoft PeopleTools"
vulnerability_class: "SSRF-to-RCE"
cwe: "CWE-306"
vendor_severity: "Critical"
cvss_v3_1: "9.8"
required_configuration: "PSEMHUB endpoint exposed to network traffic"
affected_versions:
  - "8.61"
  - "8.62"
kev_added: "2026-06-12"
kev_due_date: "2026-07-03"
fixed_versions: "Apply June 2026 Oracle Security Update"
last_verified: "2026-06-12"

Evidence Assessment

• confirmed: Oracle released patches on June 10, 2026, addressing CVE-2026-35273 in PeopleTools 8.61 and 8.62.
• confirmed: Threat actors targeted the PSEMHUB endpoint to execute commands without authentication.
• confirmed: Threat actors deployed customized MeshCentral remote management agents using the domain azurenetfiles.net to masquerade as Azure file systems.
• confirmed: Threat actors deployed JSP webshells and dropped ransom files named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
• confirmed: CISA added the CVE to KEV on 2026-06-12.

Exposure Checks

Identify whether your PeopleSoft environment is running affected PeopleTools versions and exposing the Environment Management Hub.

1. Check Version: Check psconfig.sh or query the database table PSSTATUS for the PeopleTools release level:

SELECT TOOLSREL FROM PSSTATUS;

If the version returned starts with 8.61 or 8.62, the environment is potentially vulnerable.

2. Check Endpoint Accessibility: Verify if the PSEMHUB or Integration Gateway endpoint is publicly accessible:

curl -I -s -o /dev/null -w "%{http_code}\n" https://<peoplesoft-host>/PSEMHUB/
curl -I -s -o /dev/null -w "%{http_code}\n" https://<peoplesoft-host>/PSIGW/HttpListeningConnector

An HTTP status of 200 or 403 indicates the service path is reachable and requires network-level access control.

Impact Determination

Classification	Criteria	Required evidence	Required action
Confirmed exploitation	Telemetry or filesystem audit shows unauthorized PSEMHUB calls, deployed JSP webshells, or MeshCentral agents masquerading as Azure services.	Access logs for /PSEMHUB/, file system paths for unexpected JSP scripts, or active connections to azurenetfiles.net.	Isolate the affected server, revoke database credentials, preserve server memory/logs, and audit application data accesses.
Presumed exposed	PeopleSoft PeopleTools versions 8.61 or 8.62 are active and the PSEMHUB endpoint is accessible.	Version check (e.g. 8.61.x or 8.62.x) and network accessibility scan.	Apply Oracle’s official security updates immediately, and restrict EMHub access.
Potentially exposed	PeopleSoft PeopleTools version or EMHub endpoint visibility is undetermined.	System inventory or external scanning.	Perform immediate version and configuration inventory.
Not exposed	PeopleSoft system is running version 8.60 or earlier, or has no external/internal network visibility on EMHub endpoints.	Validated version registry and network isolation rules.	Standard monitoring.

Detection and Hunting

Script: local repository and exported telemetry scope

#!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-oracle-peoplesoft-cve-2026-35273-kev-scope"))
SINCE = "2026-06-12T00:00:00Z"
UNTIL = "2026-06-12T23:59:59Z"

PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.oracle.com",
  "www.mandiant.com",
  "www.cisa.gov",
]
URLS = [
  "https://www.oracle.com/security-alerts/",
  "https://www.mandiant.com/resources/blog",
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273",
  "https:///PSEMHUB/",
  "https:///PSIGW/HttpListeningConnector",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Mitigation and Closure

Oracle recommends applying the June 2026 security updates for PeopleSoft PeopleTools 8.61 and 8.62. If patching cannot be completed immediately, apply the following mitigations:

1. Network Isolation: Block access to all EMHub / PSEMHUB endpoints (/PSEMHUB/) from outside your trusted administrative network.
2. Endpoint Disabling: If the Environment Management Hub is not actively used in production, disable the corresponding web application within the WebLogic configuration.
3. Verify Filesystem Integrity: Check the PeopleSoft web server directories for any newly created .jsp files or unexpected shell scripts, and verify running process lists for unauthorized remote access clients.

Close remediation only after:

• The system is updated to a non-vulnerable version of PeopleTools.
• Network security controls restrict access to PSEMHUB endpoints.
• A filesystem audit confirms no persistent shells or backdoors remain.

Machine-Readable Event Profile

{
  "event_id": "oracle-peoplesoft-cve-2026-35273-kev",
  "cve": "CVE-2026-35273",
  "vendor_severity": "critical",
  "cvss_v3_1": 9.8,
  "kev_added": "2026-06-12",
  "kev_due_date": "2026-07-03",
  "network_iocs": [
    "azurenetfiles.net"
  ],
  "file_hashes": [],
  "confidence": "high",
  "last_verified": "2026-06-12"
}

Sources

1. Oracle: Security Alerts and Advisories - Role: DIRECT_SOURCE - Impact: Vulnerability details, CVSS scores, affected software versions, and official patching solutions.
2. CISA: KEV Catalog Entry for CVE-2026-35273 - Role: GOVERNMENT_SOURCE - Impact: Active exploitation confirmation, KEV date, and federal remediation requirements.
3. Mandiant: Zero-Day Exploitation of Oracle PeopleSoft by UNC6240 - Role: PRIMARY_RESEARCH - Impact: Campaign timeline, threat actor details, higher education focus, webshells, and persistence indicators.