VULNERABILITY OVERVIEW
A critical unauthenticated remote code execution vulnerability in the Updates Environment Management component (PSEMHUB) requires only HTTP network access with no user interaction. Mandiant (Google GTIG) confirmed active exploitation by ShinyHunters (UNC6240) as a zero-day between May 27 and June 9, 2026 — 14 days before Oracle's advisory — resulting in confirmed breaches at over 100 organizations, 68% in higher education, including the University of Nottingham (455,000 students' PII exfiltrated). ShinyHunters chained this with CVE-2026-35278 (CVSS 9.8) to achieve lateral movement, credential harvesting, and extortion.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
CHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
PeopleSoft Enterprise PeopleTools 8.61 and 8.62 (earlier unsupported versions may also be affected)CITATIONS
- → https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
- → https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- → https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
- → https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/