CVE-2026-35273 — PeopleSoft Unauthenticated RCE
Oracle broke its patch cadence to ship an emergency fix for a CVSS 9.8 remote code execution flaw in PeopleSoft Enterprise PeopleTools. Attackers had a working exploit for roughly two weeks before the advisory existed. If you run PeopleTools 8.61 or 8.62 and have not patched, treat this as an active incident — not a backlog item.
Why This Alert Demands Immediate Action
CVE-2026-35273 is an unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools, rated CVSS 9.8. The underlying weakness is a server-side request forgery (CWE-918) reached through unsafe deserialization of attacker-controlled data sent to the Environment Management Hub endpoint. No credentials are required. No user interaction is required.
What separates this from an ordinary critical patch is the sequence. Mandiant confirmed exploitation in the wild between May 27 and June 9, 2026 — before any advisory existed. Oracle published an out-of-band Security Alert with a patch on June 10, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 12. By the time most teams heard about it, the exploit had been in active use for two weeks.
The campaign is attributed to UNC6240, the financially motivated group publicly known as ShinyHunters. It was not opportunistic scanning: higher education was targeted deliberately, making up 68% of the more than 100 organisations notified. Stolen data began appearing on the group's leak site on June 9 — meaning exfiltration, not just access, is the demonstrated outcome.
How CVE-2026-35273 Unfolded
A zero-day is defined by the gap between exploitation and remediation. Here that gap was two weeks.
UNC6240 (ShinyHunters) starts exploiting the PSEMHUB endpoint in the wild. No advisory exists; no patch exists. Defenders have no signature to look for.
Data taken during the campaign appears on the ShinyHunters Data Leak Site — the first public signal for many victims that they had been compromised at all.
Oracle publishes the advisory and releases the fix the same day, six days ahead of the scheduled June CSPU. Breaking cadence is itself the severity signal.
Inclusion in the Known Exploited Vulnerabilities catalog places binding remediation deadlines on US federal agencies and raises the bar for everyone else's due diligence.
Oracle's scheduled monthly CSPU lands with 245 patches across 11 product families. See the June 2026 CSPU analysis.
What Is Vulnerable, and Where
The exploit path runs through PeopleSoft's Environment Management Hub — a component many estates expose more widely than they intend.
| Attribute | Detail |
|---|---|
| CVE | CVE-2026-35273 |
| Product | Oracle PeopleSoft Enterprise PeopleTools |
| Affected versions | PeopleTools 8.61, 8.62 |
| CVSS v3.1 base score | 9.8 (Critical) |
| Weakness class | CWE-918 — Server-Side Request Forgery |
| Root cause | Unsafe deserialization of attacker-controlled data |
| Vulnerable endpoints | /PSEMHUB/hub · /PSIGW/HttpListeningConnector |
| Authentication required | None |
| Impact | Remote code execution; demonstrated data exfiltration |
| Patch availability | Oracle Security Alert, June 10, 2026 |
Because exploitation preceded the patch by two weeks, applying the fix closes the door but tells you nothing about whether someone already walked through it. Any estate running PeopleTools 8.61 or 8.62 that was reachable from untrusted networks between May 27 and June 10 warrants a compromise assessment, not just a patch record.
Immediate Action Plan
Ordered for an estate that has not yet patched. If you applied the June 10 fix on release, start at step 4.
Oracle characterises this as emergency risk reduction. Do not wait for the July 21 cumulative CPU. PeopleTools 8.61 and 8.62 both have fixes available.
If you cannot patch immediately, disable the Environment Management Hub service and block external access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector. These are compensating controls, not a fix.
Monitor and retrospectively review outbound SMB traffic on port 445 and requests to the PSEMHUB endpoint across the May 27 – June 10 window. Absence of alerts is not absence of compromise when no signature existed at the time.
The patch touches the integration gateway and environment management paths. Validate inbound/outbound integration messaging, SSO, and any middleware routing that traverses PSIGW before declaring the change complete.
CVE-2026-35273 FAQs
CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools, rated CVSS 9.8. It stems from a server-side request forgery weakness (CWE-918) caused by unsafe deserialization of attacker-controlled data sent to the Environment Management Hub endpoint.
PeopleTools 8.61 and 8.62. Oracle released fixes for both in an out-of-band Security Alert on June 10, 2026.
Yes. Mandiant confirmed zero-day exploitation between May 27 and June 9, 2026 — approximately two weeks before Oracle's advisory. CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 12, 2026.
The campaign is attributed to UNC6240, the financially motivated threat group publicly known as ShinyHunters. It heavily targeted higher education: 68% of the 100-plus notified organisations were universities and colleges. Stolen data was published on the group's leak site beginning June 9, 2026.
Apply compensating controls: disable the Environment Management Hub service, block external access to the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints, and monitor outbound SMB traffic on port 445. These reduce reachability but do not remediate the vulnerability — the patch remains necessary.
The quarterly CPU on July 21, 2026 is cumulative and includes prior fixes. However, waiting for it means leaving an actively exploited, unauthenticated RCE open for weeks. Oracle issued this fix out-of-band precisely so customers would not wait for the quarterly cycle.
This vulnerability is specific to PeopleSoft Enterprise PeopleTools, not Oracle Fusion Cloud Applications. Organisations running both — common in higher education and public sector — should confirm their PeopleSoft estate separately, since Fusion Cloud patching cadence tells you nothing about PeopleTools exposure.
Know Your Oracle Patch Exposure Before the Next Zero-Day
SyntraFlow Release Intelligence maps every Oracle security advisory against your actual environment and auto-composes the regression packs needed to validate each patch — so emergency patching does not mean unplanned downtime.
How SyntraFlow Release Intelligence Works
Release Intelligence is a SyntraFlow module that is licensed and priced separately from the core SyntraFlow test automation platform. It pinpoints exactly what each Oracle Fusion quarterly release or critical patch will affect in your tenant — and produces the test scenarios needed to validate it. The workflow runs in five connected steps:
- Connects to your Oracle Fusion environment. A secure read-only connection to your live Oracle Fusion tenant ingests setup data, security model, and live transactions — no manual exports, no spreadsheets.
- Scans your complete configuration with Config Intelligence. Config Intelligence snapshots every setup object (FSM tasks, profile options, BPM rules, descriptive flexfields, security policies) and compares it against the incoming release.
- Reads master & transaction data via DataVault. DataVault profiles your real master data and live transactions so impact analysis is grounded in what your business actually runs — not generic Oracle samples.
- Produces a detail-level Impact Map. Cross-references the release notes against your configuration and data to highlight which features, flows, integrations, and reports are at risk — down to the line-level setting or seeded role that changed. See Release Impact Analysis.
- Generates test scenarios & remediation report. Outputs ready-to-execute test cases targeting each impacted area, plus a remediation report with the exact steps to update your setup or data so the patch goes live with minimum disruption. Run them with Patch Testing Automation.
Licensing note: Release Intelligence is a standalone SyntraFlow module available as its own subscription, or as an add-on to the SyntraFlow test automation platform. Pricing is separate from the core platform — contact us for module pricing and bundling options.