Oracle PeopleSoft under attack, urgent out-of-band security alert issued
▼ Summary
– A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 is being exploited in the wild, potentially allowing unauthenticated remote code execution.
– Oracle issued an out-of-band security alert about the flaw, but a patch may only be accessible to customers with a support account.
– The ShinyHunters extortion group claims to have breached over 100 Oracle PeopleSoft servers, mostly at educational institutions, using old and zero-day vulnerabilities.
– Mandiant and Google Threat Intelligence confirmed ShinyHunters (UNC6240) exploited CVE-2026-35273 as a zero-day between May 27 and June 9, 2026, before Oracle’s advisory.
– Mitigations include disabling the Environment Management Hub (EMHub) Service or blocking external access to specific endpoints, as no patch has been confirmed available.
A critical zero-day vulnerability in Oracle PeopleSoft PeopleTools, tracked as CVE-2026-35273, is currently under active exploitation in real-world attacks, according to a warning issued today by Charles Carmakal, CTO of Google Cloud’s Mandiant cybersecurity division.
The alert follows an out-of-band security advisory from Oracle published a day earlier. The flaw is remotely exploitable without authentication and could lead to remote code execution. It impacts PeopleSoft PeopleTools versions 8.61 and 8.62, and potentially earlier unsupported releases.
Oracle credited researchers from TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability. The advisory directs customers to a “patch availability document,” but it remains unclear whether a fix is currently accessible. That document is restricted to users with an active support account.
Help Net Security has contacted Oracle for confirmation regarding active exploitation of CVE-2026-35273 but has not yet received a response.
ShinyHunters targeting PeopleSoft environments
Oracle’s advisory arrived on the same day Bleeping Computer reported claims from the extortion group ShinyHunters, alleging they have breached Oracle PeopleSoft servers and stolen data from more than 100 organizations.
According to the group, the victims are primarily educational institutions. Their PeopleSoft instances, whether hosted on-premises or in the cloud, were compromised using a “gadget chain” of both old and zero-day vulnerabilities.
Among the confirmed victims is the University of Nottingham, which acknowledged a cybersecurity incident and stated it has directly notified affected students and alumni. ShinyHunters claimed responsibility for that breach and leaked tens of gigabytes of data, including personal information and academic records of nearly half a million current and former students.
A threat researcher has apparently corroborated ShinyHunters’ ongoing campaign against PeopleSoft instances after discovering exposed directories containing tools used in the attacks.
“At the /payorleak endpoint, is stolen data from 20+ organizations, many named and others from 02 Jun and 04 Jun not yet named,” the researcher noted. “Inside the same bash history log is a purpose-built shell script (uon_fanout.sh) which spreads defacement markers across PeopleSoft infrastructure.”
The researcher added, “The code shows the attackers are very familiar with PeopleSoft; extracting creds from psappsrv.cfg (app server config), mapping all connected nodes, and identifying web/app/batch tiers.”
A list of IP addresses and domains linked to the attacks has also been shared, enabling PeopleSoft administrators and defenders to check for signs of compromise.
UPDATE (June 11, 2026, 05:15 p.m. ET):
Mandiant and the Google Threat Intelligence Group have confirmed that ShinyHunters (tracked as UNC6240) targeted Oracle PeopleSoft application infrastructure between May 27, 2026 and June 9, 2026. The activity “is consistent” with exploitation of CVE-2026-35273.
“The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints,” the researchers stated. “Because this activity predates Oracle’s June 10, 2026 advisory, the vulnerability was exploited as a zero-day.”
They revealed that more than 100 global organizations with potentially vulnerable endpoints have been notified. “While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters [data leaks site],” they added.
The researchers provided a detailed breakdown of attacker actions and tools, along with remediation and hardening guidance.
Although no patch for CVE-2026-35273 has been announced, PeopleSoft administrators can implement mitigations to reduce exploitation risk. These include disabling the Environment Management Hub (EMHub) Service in Multi-Server configurations, removing the PSEMHUB application in Single-Server configurations, or blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level if the EMHub Service cannot be disabled.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats.
(Source: Help Net Security)
