Oracle PeopleSoft Zero-Day CVE-2026-35273 (CVSS 9.8) Exploited by ShinyHunters

ADVISORY SUMMARY

CVE-2026-35273 is a critical (CVSS 9.8), unauthenticated RCE vulnerability in the Oracle PeopleSoft PeopleTools Environment Management Hub (PSEMHUB) component affecting PeopleTools 8.61 and 8.62. ShinyHunters (Mandiant/Google: UNC6240) exploited it as a zero-day between May 27 and June 9, 2026 — two weeks before Oracle's advisory — breaching 300+ PeopleSoft instances at 100+ organizations, predominantly universities (68% of victims). The University of Nottingham confirmed 455,000 student records exfiltrated. The attack chain deployed MeshCentral agents masquerading as Azure services, used fanout shell scripts for lateral movement, and leveraged credential extraction from psappsrv.cfg. CISA added CVE-2026-35273 to the KEV catalog on June 12, 2026.

AFFECTED SYSTEMS

AFFECTED SYSTEM

SEVERITY

EXPLOIT

PATCH

Oracle PeopleSoft PeopleTools 8.61 (all prior to patched update)

CRITICAL

LIMITED

PARTIAL

Oracle PeopleSoft PeopleTools 8.62 (all prior to patched update)

CRITICAL

LIMITED

PARTIAL

PeopleSoft Enterprise Applications (all versions, may also be impacted)

CRITICAL

LIMITED

PARTIAL

MITIGATION GUIDANCE

Apply Oracle's out-of-band patch via My Oracle Support (Patch Availability Document CPU187) immediately — do not wait for the next quarterly CPU. Disable the Environment Management Hub (EMHub) Service in multi-server configurations or completely remove the PSEMHUB application in single-server configurations. If EMHub cannot be disabled, block all external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter/firewall. Rotate all PeopleSoft administrative credentials (psoft, oracle, linuxadm) and credentials stored in psappsrv.cfg. Isolate PeopleSoft web and application servers from direct internet access.

DETECTION SIGNATURES

Search PeopleSoft and web server directories for README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT (confirms successful breach). Check logs for connections from known ShinyHunters IPs: 142.11.200[.]186-190, 108.174.202[.]99, 176.120.22[.]24. Monitor for outbound SMB traffic (TCP port 445) from PeopleSoft hosts to external destinations (NetNTLM hash capture indicator). Hunt for MeshCentral agent processes (meshagent64-azure-ops.exe or similar) and C2 beaconing to azurenetfiles[.]net. Review bash history on PeopleSoft Linux hosts for zstd compression and SSH lateral movement commands.

INDICATORS OF COMPROMISE

⚿

EXPORT FORMATTED IOC PACKAGE

Splunk SPL · KQL · Sigma rules · Firewall blocklists — subscriber feature

SUBSCRIBE →

TYPE

INDICATOR

CONTEXT

FIRST SEEN

001

DOMAIN

azurenetfiles[.]net

ShinyHunters C2 (MeshCentral masquerade)

2026-06-10

002

142.11.200[.]186

ShinyHunters Attacker IP Range

2026-06-10

003

108.174.202[.]99

ShinyHunters Attacker IP

2026-06-10

004

176.120.22[.]24

ShinyHunters Attacker IP

2026-06-10

REFERENCES

→ https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
→ https://www.cisa.gov/known-exploited-vulnerabilities-catalog
→ https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
→ https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273/
→ https://nvd.nist.gov/vuln/detail/CVE-2026-35273

SHARE BRIEF:✕ Post on X in Share on LinkedIn