CVE-2026-35273

What Is Oracle PeopleSoft?

Oracle PeopleSoft is a suite of enterprise resource planning (ERP) and human capital management (HCM) software used by governments, universities, hospitals, and large enterprises worldwide to manage HR, payroll, student records, financials, and supply chain operations. PeopleTools is the underlying development and runtime framework on which all PeopleSoft applications run — it handles authentication, integration, process scheduling, and application server management across the entire platform.

PeopleSoft deployments are high-value targets because they hold the most sensitive organizational data: employee records, salary information, student enrollment and financial aid data, healthcare patient records, and financial systems. Many deployments, particularly in higher education and government, have internet-facing integration endpoints to support remote access and third-party system connections.

Overview

CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in the Updates Environment Management (PSEMHUB) component of Oracle PeopleSoft PeopleTools. While classified as CWE-306, the underlying exploitation mechanism is Server-Side Request Forgery (SSRF): the PSEMHUB component processes requests without authenticating the caller, enabling an unauthenticated attacker to chain SSRF into remote code execution through backend integration endpoints.

The vulnerability was exploited as a zero-day from at least May 27, 2026 — more than two weeks before Oracle's June 10 patch. Mandiant attributed confirmed exploitation to UNC6240, tracked publicly as ShinyHunters, a financially motivated cybercriminal group. By the time Oracle published the patch, ShinyHunters had already compromised approximately 300 PeopleSoft instances across more than 100 organizations and published stolen data on their extortion site on June 9 — the day before the patch. CISA added it to the KEV catalog on June 12 with a three-day remediation deadline and ransomware attribution.

Affected Versions

Oracle issued this patch out-of-band — outside their normal quarterly Critical Patch Update cycle — indicating the severity and active exploitation status at time of discovery. Check Oracle support for patch availability across other PeopleTools branches.

Technical Details

The attack targets two endpoints in sequence. First, /PSEMHUB/hub — the unauthenticated PSEMHUB entry point — accepts requests without validating caller identity. Second, this SSRF capability is chained through /PSIGW/HttpListeningConnector, an integration gateway endpoint used to trigger backend processing.

Through this chain, attackers can:

• Trigger outbound SMB connections (TCP 445) to attacker-controlled hosts, capturing Windows NTLMv2 hashes from the PeopleSoft service account
• Relay captured hashes using ntlmrelayx or similar tools to authenticate to other systems on the network
• Achieve remote code execution on the PeopleSoft application server through the gadget chain

The /PSIGW/HttpListeningConnector path is also the shared attack surface for two legacy PeopleSoft vulnerabilities that ShinyHunters chained in observed attacks:

• CVE-2013-3821 — XXE injection in PeopleSoft's integration gateway
• CVE-2017-3548 — XXE via PeopleSoftServiceListeningConnector

Organizations with these legacy CVEs unpatched faced amplified exposure: the same endpoint reachable via the new zero-day also supported the older attack chains.

Post-exploitation activity observed by Mandiant and Trend Micro included: deployment of MeshCentral remote management agents disguised as Azure services, internal network reconnaissance, lateral movement scripts, and data exfiltration compressed with zstd. Detection signatures for the PSEMHUB exploitation path are available from TrendAI (IPS Rule 1012580, DDI Rule 5855).

Discovery

The vulnerability was discovered by TrendAI's Zero Day Initiative (ZDI) and reported to Oracle. Mandiant published threat attribution on June 11, 2026, identifying UNC6240 / ShinyHunters as the threat actor behind confirmed zero-day exploitation.

Exploitation Context

Threat actor: UNC6240 / ShinyHunters — a financially motivated cybercriminal group specializing in large-scale data theft and extortion. Mandiant tracked the campaign actor as UNC6240; the group publishes stolen data under the ShinyHunters brand.

Scale of confirmed exploitation:

• ~300 PeopleSoft instances compromised across 100+ organizations
• 68% of confirmed victims were universities and colleges — U.S. higher education was disproportionately targeted, consistent with PeopleSoft's dominance in university student information and HR systems
• ShinyHunters published stolen data on June 9, 2026 — before Oracle had released a patch — eliminating any window for silent remediation before public disclosure

Post-exploitation chain observed: PSEMHUB SSRF → NTLMv2 hash capture → hash relay → code execution → MeshCentral RAT deployment → internal reconnaissance → zstd-compressed exfiltration.

The two-week gap between first exploitation (May 27) and Oracle's patch (June 10) gave ShinyHunters significant dwell time in victim environments. The public data publication on June 9 served as a pressure tactic in extortion negotiations, forcing victims to acknowledge breach before a patch was available.

Remediation

1. Apply Oracle's emergency patch immediately. Install the out-of-band patch for PeopleTools 8.61 and 8.62 released June 10, 2026. Check Oracle support for additional branch coverage.
2. Restrict internet access to PeopleSoft integration endpoints. Block external access to /PSEMHUB/, /PSIGW/, and related integration URLs at the perimeter. PeopleSoft integration endpoints should not be directly internet-facing without strict authentication enforcement.
3. Patch legacy CVEs. If CVE-2013-3821 or CVE-2017-3548 are unpatched in your environment, apply those fixes immediately — they share the same attack surface and were chained in observed ShinyHunters attacks.
4. Audit for MeshCentral agent deployment. Search for MeshCentral or unexpected remote management agents masquerading as Azure or cloud services processes. Remove any unauthorized remote management software.
5. Hunt for NTLMv2 hash capture activity. Review network logs for unexpected outbound SMB (TCP 445) connections from PeopleSoft application servers. Any such connection to an external IP during the exposure window indicates hash capture attempts.
6. Rotate service account credentials. If your PeopleSoft server had any internet-accessible integration endpoints between May 27 and June 10, treat all service account credentials as compromised. Rotate passwords and audit Active Directory for unauthorized authentication events.
7. Review for lateral movement. Post-exploitation scripts observed in confirmed breaches targeted internal network resources from the PeopleSoft server foothold. Audit authentication logs across domain controllers and adjacent systems for anomalous access using PeopleSoft service account credentials.