A critical zero-day remote code execution vulnerability — CVE-2026-35273 — in Oracle PeopleSoft Enterprise PeopleTools was actively exploited in the wild by the ShinyHunters (UNC6240) threat actor before Oracle's June 10, 2026 security patch. Classified under CWE-306 (Missing Authentication for Critical Function), the flaw requires no credentials and allows full system takeover over HTTP. More than 100 organizations were targeted, with breaches confirmed across the higher education sector, stolen data exfiltrated, and extortion messages deployed. Patch immediately via Oracle's Security Alert.
CVE-2026-35273TA20261658.61, 8.62CWE-306CVE-2026-35273 is a critical zero-day remote code execution (RCE) vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, affecting the Updates Environment Management component. Classified as CWE-306 (Missing Authentication for Critical Function), the flaw can be exploited remotely over HTTP with no valid credentials required, enabling an unauthenticated threat actor to gain full control of a vulnerable PeopleTools instance and achieve complete system compromise.
The vulnerability was actively exploited as a zero-day between May 27 and June 9, 2026 — a 14-day window before Oracle released its security alert on June 10, 2026. The campaign has been attributed to the ShinyHunters threat actor group (also tracked as UNC6240). More than 100 organizations with vulnerable internet-facing PeopleSoft systems were identified and alerted, with a significant concentration in the higher education sector. While some organizations successfully blocked the intrusion attempts, others suffered confirmed data breaches, with stolen data subsequently published on the ShinyHunters data leak site.
The campaign highlights how a single exposed Oracle PeopleSoft instance with the Environment Management Hub (PSEMHUB) or Integration Broker endpoints accessible from the internet can serve as the entry point for a full-scale enterprise compromise — including lateral movement via SSH credential spraying, data exfiltration, and extortion operations.
| CVE ID | Vulnerability Name | Affected Products | Affected CPE | CWE ID | Zero-Day | CISA KEV | Patch |
|---|---|---|---|---|---|---|---|
CVE-2026-35273 |
Oracle PeopleSoft PeopleTools Remote Code Execution Vulnerability | Oracle PeopleSoft Enterprise PeopleTools (versions 8.61, 8.62) |
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:* |
CWE-306 |
✓ Yes | ✗ No | ✓ Yes |
The five stages below document the complete technical anatomy of CVE-2026-35273 — from the authentication bypass flaw in Oracle PeopleSoft's Updates Environment Management component through to the full post-exploitation intrusion chain attributed to ShinyHunters (UNC6240).
CVE-2026-35273 is a critical remote code execution vulnerability affecting the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. Classified as CWE-306 (Missing Authentication for Critical Function), it can be exploited remotely over HTTP without any valid credentials. A successful attack allows an unauthenticated attacker to gain control of the vulnerable PeopleTools instance, potentially resulting in complete system compromise with high impact across confidentiality, integrity, and availability.PSEMHUB) and Integration Broker Listening Connector endpoints. The attack chain leverages Server-Side Request Forgery (SSRF) techniques to bypass access controls by manipulating internal or loopback addresses through request headers and parameters. In some observed cases, attackers triggered outbound SMB connections to capture Windows NetNTLM credential hashes. Persistence was established by planting malicious XML files that execute through XMLDecoder when the PeopleSoft application restarts.8.61 and 8.62. Oracle has indicated that older, unsupported releases are also likely vulnerable. Oracle PeopleSoft Enterprise Applications customers may additionally be impacted. Despite the CVSS scope remaining unchanged, the flaw carries severe consequence ratings across all three CIA pillars — confidentiality, integrity, and availability — enabling attackers to fully compromise targeted PeopleSoft environments without restriction.meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe). Using these systems, they enumerated Oracle PeopleSoft environments, gathered configuration data, mapped internal networks, and executed lateral movement. Automated scripts sprayed SSH credentials against internal systems, deployed extortion ransom notes (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT), and collected sensitive data that was compressed and exfiltrated to infrastructure linked to the ShinyHunters public leak site.The following prioritized mitigations must be applied immediately to all Oracle PeopleSoft deployments. Given active exploitation by ShinyHunters (UNC6240) and confirmed breaches, patching via Oracle's Security Alert is the only complete remediation for CVE-2026-35273.
CVE-2026-35273 via the PeopleSoft Patch Availability Document immediately. Because this vulnerability is remotely exploitable without authentication and can result in full system takeover, Oracle classifies remediation as a high-priority risk reduction measure. Maintain actively supported PeopleTools versions and apply all Critical Patch Updates, Critical Security Patch Updates, and Security Alerts as they are released to prevent future zero-day exposure.PSEMHUB application as advised by Oracle's guidance. Restricting these endpoints is non-breaking for standard end-user operations — EMHub and the Integration Broker Listening Connector are administrative or system-to-system components not required for core user-facing PeopleSoft Internet Architecture browser sessions./PSEMHUB/ (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Do not rely solely on Web Application Firewall body-inspection rules to enforce this restriction — the SSRF techniques used in real-world CVE-2026-35273 exploitation can bypass WAF controls.POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector originating from external or untrusted source IPs. Analyze listening connector requests for loopback addresses (127.0.0.1, localhost, ::1) or internal IP ranges in headers or parameters, which signal SSRF exploitation attempts. Monitor outbound firewall logs and NetFlow data for outbound SMB traffic on TCP port 445 from PeopleSoft hosts to untrusted external destinations, which may indicate NetNTLM hash-capture attempts linked to ShinyHunters (UNC6240) TTPs.The following indicators are associated with the ShinyHunters (UNC6240) exploitation campaign targeting Oracle PeopleSoft CVE-2026-35273. Block these across endpoint, network, and DNS controls immediately.
| Type | Value |
|---|---|
| IPv4 |
142[.]11[.]200[.]186142[.]11[.]200[.]187142[.]11[.]200[.]188142[.]11[.]200[.]189142[.]11[.]200[.]190
|
| Domain | azurenetfiles[.]net |
| SHA256 |
2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fcd83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2fc7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309
|
| Filenames |
.bash_historymeshagent32-azure-ops.exemeshagent64-azure-ops.exemeshagent64-v2.exemeshagentREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT[victim_abbreviation]_fanout.sh
|
The following MITRE ATT&CK tactics, techniques, and sub-techniques are associated with the ShinyHunters (UNC6240) exploitation of CVE-2026-35273 against Oracle PeopleSoft Enterprise PeopleTools.
| Tactic | Technique ID | Sub-technique ID | Description |
|---|---|---|---|
| Initial Access | T1190 |
— | Exploit Public-Facing Application — unauthenticated RCE via CVE-2026-35273 targeting internet-exposed PSEMHUB and Integration Broker endpoints in Oracle PeopleSoft Enterprise PeopleTools |
| Execution | T1059 |
T1059.004 — Unix Shell |
Command and Scripting Interpreter — automated scripts including [victim_abbreviation]_fanout.sh used to spray SSH credentials against internal systems, deploy extortion messages, and collect data |
| Defense Evasion | T1036 |
T1036.005 — Match Legitimate Name or Location |
Masquerading — MeshCentral remote access tools disguised as legitimate Microsoft Azure services using filenames meshagent32-azure-ops.exe and meshagent64-azure-ops.exe and the domain azurenetfiles[.]net |
| Discovery | T1018 |
— | Remote System Discovery — internal network mapping and Oracle PeopleSoft environment enumeration performed post-compromise to support lateral movement |
| Discovery | T1083 |
— | File and Directory Discovery — configuration details gathered from compromised PeopleSoft systems to support data collection and lateral movement operations |
| Lateral Movement | T1021 |
T1021.004 — SSH |
Remote Services — automated SSH credential spraying against internal systems across compromised enterprise infrastructure to expand attacker access |
| C2 | T1219 |
— | Remote Access Software — customized MeshCentral remote management tools deployed on staging servers to maintain persistent command-and-control access across compromised networks |
| C2 | T1071 |
T1071.001 — Web Protocols |
Application Layer Protocol — MeshCentral C2 communications using web protocols, with infrastructure masquerading as Microsoft Azure services via azurenetfiles[.]net |
| Collection | T1560 |
T1560.001 — Archive via Utility |
Archive Collected Data — stolen data compressed using archive utilities prior to exfiltration from compromised Oracle PeopleSoft environments |
| Exfiltration | T1048 |
— | Exfiltration Over Alternative Protocol — compressed stolen data transferred to ShinyHunters-controlled infrastructure linked to the group's public data leak site for extortion and public disclosure |
| Impact | T1491 |
T1491.001 — Internal Defacement |
Defacement — extortion ransom note README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT deployed on compromised systems as part of ShinyHunters' extortion campaign |
| Impact | T1657 |
— | Financial Theft — exfiltrated sensitive organizational data leveraged for extortion demands; stolen data published on ShinyHunters data leak site to pressure victims into compliance |
