Vulnerability Description
CVE-2026-35273 is a critical (CVSS 9.8) missing-authentication vulnerability in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62. Oracle describes it as an easily exploitable flaw that lets an unauthenticated attacker with HTTP network access compromise PeopleTools with no credentials or user interaction required. Google’s Mandiant, which observed in-the-wild exploitation, characterizes the activity as remote code execution against the Environment Management Hub endpoint /PSEMHUB/hub. Oracle released an out-of-cycle Security Alert on June 10, 2026, ahead of its normal patch cycle.
PeopleTools is the platform layer beneath every PeopleSoft application (human resources, financials, and student records), and the Environment Management Hub is a PeopleTools component. Any internet-facing PeopleSoft signon surface is therefore running PeopleTools. The only factor separating a vulnerable instance from a non-vulnerable one is the PeopleTools version (8.61 or 8.62), which is not observable from the outside.
Mandiant attributes active exploitation to UNC6240, the extortion group tracked as ShinyHunters, with a confirmed exploitation window of May 27 to June 9, 2026, meaning the flaw was exploited as a zero-day before Oracle’s disclosure. Mandiant notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints, most US-based and 68% in higher education, and reports stolen data staged for extortion on a bulletproof-hosted leak site.
| Field | Description |
| CVE-ID | CVE-2026-35273 — CVSS v3 9.8 (critical) — assigned by Oracle |
| Vulnerability Description | CVE-2026-35273 is a critical (CVSS 9.8) missing-authentication vulnerability in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62. According to Oracle, the flaw allows an unauthenticated attacker with HTTP network access compromise PeopleTools with no credentials or user interaction required. Google’s Mandiant characterizes the activity as remote code execution against the Environment Management Hub endpoint /PSEMHUB/hub and has observed in-the-wild exploitation. |
| Date of Disclosure | June 11, 2026 |
| Affected Assets | Oracle PeopleSoft Enterprise PeopleTools |
| Vulnerable Software Versions | Versions 8.61 and 8.62 |
| PoC Available | No known public proof-of-concept at time of writing. |
| Exploitation Status | Active in the wild. Google/Mandiant attributes exploitation to UNC6240 (ShinyHunters), with a confirmed window of May 27 to June 9, 2026, exploited as a zero-day before Oracle’s disclosure. |
| Patch Status | Oracle published a fix in the Security Alert for CVE-2026-35273 (June 10, 2026). Patches are available through Oracle Support (support.oracle.com). No workaround is documented. |
Censys ARC Perspective
As of June 12, 2026, Censys observes a more than 40 distinct hosts (roughly 123 host and web interfaces) in our data that exhibit genuine PeopleSoft signals, namely PeopleSoft session cookies and signon-page markers. A broader search for PeopleSoft-branded pages returns around 1,500 hosts, but most of that is noise: decoy pages that spoof the “Oracle PeopleSoft” title while serving unrelated content. Filtering to systems that actually behave like PeopleSoft is what produces the figure above.
A majority of the genuine instances are in the United States, and many of the named, self-hosted deployments are higher education institutions, the same US-and-education skew Mandiant reports for the 100-plus organizations it notified (most US-based, 68% higher education). Censys data also corroborates the campaign’s infrastructure. The five staging and command-and-control nodes Mandiant published (AS54290 Hostwinds) share a single SSH host key. Pivoting on that key in Censys returns exactly those five hosts, confirming a cloned image.
References:
- Oracle Security Alert (CVE-2026-35273): https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
- Google / Mandiant, “ShinyHunters Targets Education Sector via Oracle Exploit”: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- NVD (CVE-2026-35273): https://nvd.nist.gov/vuln/detail/CVE-2026-35273