Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation

Suspected
Discovered Jun 12, 2026

CISA added actively exploited Oracle PeopleSoft PeopleTools CVE-2026-35273 to KEV on 2026-06-12. Affects PSEMHUB in versions 8.61 and 8.62, allowing unauthenticated remote code execution exploited by ShinyHunters.

0
Affected Packages
4
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
hXXps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273
azurenetfiles[.]net
hXXps://www[.]oracle[.]com/security-alerts/
hXXps://www[.]mandiant[.]com/resources/blog

Analysis

Executive Summary

Oracle Security Advisory documents CVE-2026-35273, a critical remote code execution (RCE) vulnerability in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. On affected systems, unauthenticated remote attackers can execute arbitrary code on the underlying server via crafted HTTP requests to the PeopleSoft Environment Management Hub (PSEMHUB) Oracle Security Alerts opens in a new tab.

Google Mandiant reports active zero-day exploitation of this vulnerability by the threat actor group ShinyHunters (tracked as UNC6240) between May 27, 2026, and June 9, 2026, targeting over 100 organizations with 300 PeopleSoft instances. Approximately 68% of the affected entities were in the higher education sector Mandiant Blog opens in a new tab. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-06-12, with a federal due date of 2026-07-03 CISA KEV opens in a new tab.

Key Facts

Cve: CVE-2026-35273

Vendor: Oracle

Product: PeopleSoft PeopleTools

Vulnerability Class: SSRF-to-RCE

Cwe: CWE-306

Vendor Severity: Critical

Cvss V3 1: 9.8

Required Configuration: PSEMHUB endpoint exposed to network traffic

Affected Versions:

  • 8.61
  • 8.62

Kev Added: 2026-06-12

Kev Due Date: 2026-07-03

Fixed Versions: Apply June 2026 Oracle Security Update

Last Verified: 2026-06-12

Evidence Assessment

Identify whether your PeopleSoft environment is running affected PeopleTools versions and exposing the Environment Management Hub.

  1. Check Version: Check psconfig.sh or query the database table PSSTATUS for the PeopleTools release level:
SELECT TOOLSREL FROM PSSTATUS;

If the version returned starts with 8.61 or 8.62, the environment is potentially vulnerable.

  1. Check Endpoint Accessibility: Verify if the PSEMHUB or Integration Gateway endpoint is publicly accessible:
curl -I -s -o /dev/null -w "%{http_code}\n" https://<peoplesoft-host>/PSEMHUB/
curl -I -s -o /dev/null -w "%{http_code}\n" https://<peoplesoft-host>/PSIGW/HttpListeningConnector

An HTTP status of 200 or 403 indicates the service path is reachable and requires network-level access control.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRequired action
Confirmed exploitationTelemetry or filesystem audit shows unauthorized PSEMHUB calls, deployed JSP webshells, or MeshCentral agents masquerading as Azure services.Access logs for /PSEMHUB/, file system paths for unexpected JSP scripts, or active connections to azurenetfiles.net.Isolate the affected server, revoke database credentials, preserve server memory/logs, and audit application data accesses.
Presumed exposedPeopleSoft PeopleTools versions 8.61 or 8.62 are active and the PSEMHUB endpoint is accessible.Version check (e.g. 8.61.x or 8.62.x) and network accessibility scan.Apply Oracle's official security updates immediately, and restrict EMHub access.
Potentially exposedPeopleSoft PeopleTools version or EMHub endpoint visibility is undetermined.System inventory or external scanning.Perform immediate version and configuration inventory.
Not exposedPeopleSoft system is running version 8.60 or earlier, or has no external/internal network visibility on EMHub endpoints.Validated version registry and network isolation rules.Standard monitoring.

Remediation and Closure

Oracle recommends applying the June 2026 security updates for PeopleSoft PeopleTools 8.61 and 8.62. If patching cannot be completed immediately, apply the following mitigations:

  1. Network Isolation: Block access to all EMHub / PSEMHUB endpoints (/PSEMHUB/) from outside your trusted administrative network.
  2. Endpoint Disabling: If the Environment Management Hub is not actively used in production, disable the corresponding web application within the WebLogic configuration.
  3. Verify Filesystem Integrity: Check the PeopleSoft web server directories for any newly created .jsp files or unexpected shell scripts, and verify running process lists for unauthorized remote access clients.

Close remediation only after:

  • The system is updated to a non-vulnerable version of PeopleTools.
  • Network security controls restrict access to PSEMHUB endpoints.
  • A filesystem audit confirms no persistent shells or backdoors remain.

Sources

  1. Oracle: Security Alerts and Advisories opens in a new tab - Role: DIRECT_SOURCE - Impact: Vulnerability details, CVSS scores, affected software versions, and official patching solutions.
  2. CISA: KEV Catalog Entry for CVE-2026-35273 opens in a new tab - Role: GOVERNMENT_SOURCE - Impact: Active exploitation confirmation, KEV date, and federal remediation requirements.
  3. Mandiant: Zero-Day Exploitation of Oracle PeopleSoft by UNC6240 opens in a new tab - Role: PRIMARY_RESEARCH - Impact: Campaign timeline, threat actor details, higher education focus, webshells, and persistence indicators.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 12, 2026First seenFirst seen recorded for Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation.mandiant.com
Jun 12, 2026Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day ExploitationUnknownmandiant.com
Jun 12, 2026DiscoveryDiscovery recorded for Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation.mandiant.com
Jun 12, 2026DisclosureDisclosure recorded for Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation.mandiant.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

4 IOCs
urlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273
domainazurenetfiles.net
urlhttps://www.oracle.com/security-alerts/
urlhttps://www.mandiant.com/resources/blog

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabmandiant.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Oracle PeopleSoft CVE-2026-35273: KEV SSRF-to-RCE Zero-Day Exploitation?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-oracle-peoplesoft-cve-2026-35273-kev-scope"))

DOMAINS = ["azurenetfiles.net"]
URLS = ["https://www.oracle.com/security-alerts/","https://www.mandiant.com/resources/blog","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273"]

# Collect unique indicators
indicators = set()
for group in [DOMAINS, URLS]:
    for val in group:
        if val:
            indicators.add(val)

            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if "PACKAGES" in globals() and PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
mandiant.comSecurity Researcher95%1CISA added actively exploited Oracle PeopleSoft PeopleTools CVE-2026-35273 to KEV on 2026-06-12. Affects PSEMHUB in versions 8.61 and 8.62, allowing unauthenticated remote code execution exploited by ShinyHunters.
oracle.comSecurity Researcher95%1CISA added actively exploited Oracle PeopleSoft PeopleTools CVE-2026-35273 to KEV on 2026-06-12. Affects PSEMHUB in versions 8.61 and 8.62, allowing unauthenticated remote code execution exploited by ShinyHunters.
cisa.govSecurity Researcher95%1CISA added actively exploited Oracle PeopleSoft PeopleTools CVE-2026-35273 to KEV on 2026-06-12. Affects PSEMHUB in versions 8.61 and 8.62, allowing unauthenticated remote code execution exploited by ShinyHunters.