Out-of-Band Alert · June 10, 2026 · Exploited in the Wild

CVE-2026-35273 — PeopleSoft Unauthenticated RCE

Oracle broke its patch cadence to ship an emergency fix for a CVSS 9.8 remote code execution flaw in PeopleSoft Enterprise PeopleTools. Attackers had a working exploit for roughly two weeks before the advisory existed. If you run PeopleTools 8.61 or 8.62 and have not patched, treat this as an active incident — not a backlog item.

CVSS 9.8
No authentication required
CISA KEV listed
CVE-2026-35273 At a Glance
ZERO-DAY
CVSS v3.1
9.8
Weakness
CWE-918
Orgs Notified
100+
Higher Education
68%
Affected PeopleTools Versions
PeopleTools 8.61Vulnerable
PeopleTools 8.62Vulnerable
Patched June 10, 2026Fix available
THREAT OVERVIEW

Why This Alert Demands Immediate Action

CVE-2026-35273 is an unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools, rated CVSS 9.8. The underlying weakness is a server-side request forgery (CWE-918) reached through unsafe deserialization of attacker-controlled data sent to the Environment Management Hub endpoint. No credentials are required. No user interaction is required.

What separates this from an ordinary critical patch is the sequence. Mandiant confirmed exploitation in the wild between May 27 and June 9, 2026 — before any advisory existed. Oracle published an out-of-band Security Alert with a patch on June 10, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 12. By the time most teams heard about it, the exploit had been in active use for two weeks.

The campaign is attributed to UNC6240, the financially motivated group publicly known as ShinyHunters. It was not opportunistic scanning: higher education was targeted deliberately, making up 68% of the more than 100 organisations notified. Stolen data began appearing on the group's leak site on June 9 — meaning exfiltration, not just access, is the demonstrated outcome.

CVSS Base Score
9.8
Critical
Authentication
None
Remotely exploitable
Days Exploited Pre-Patch
14
May 27 – June 9
CISA KEV
Listed
Added June 12, 2026
TIMELINE

How CVE-2026-35273 Unfolded

A zero-day is defined by the gap between exploitation and remediation. Here that gap was two weeks.

MAY 27, 2026
Exploitation begins

UNC6240 (ShinyHunters) starts exploiting the PSEMHUB endpoint in the wild. No advisory exists; no patch exists. Defenders have no signature to look for.

JUNE 9, 2026
Stolen data published

Data taken during the campaign appears on the ShinyHunters Data Leak Site — the first public signal for many victims that they had been compromised at all.

JUNE 10, 2026
Oracle ships an out-of-band Security Alert and patch

Oracle publishes the advisory and releases the fix the same day, six days ahead of the scheduled June CSPU. Breaking cadence is itself the severity signal.

JUNE 12, 2026
Added to CISA KEV

Inclusion in the Known Exploited Vulnerabilities catalog places binding remediation deadlines on US federal agencies and raises the bar for everyone else's due diligence.

JUNE 16, 2026
June 2026 CSPU follows

Oracle's scheduled monthly CSPU lands with 245 patches across 11 product families. See the June 2026 CSPU analysis.

AFFECTED COMPONENTS

What Is Vulnerable, and Where

The exploit path runs through PeopleSoft's Environment Management Hub — a component many estates expose more widely than they intend.

Attribute Detail
CVECVE-2026-35273
ProductOracle PeopleSoft Enterprise PeopleTools
Affected versionsPeopleTools 8.61, 8.62
CVSS v3.1 base score9.8 (Critical)
Weakness classCWE-918 — Server-Side Request Forgery
Root causeUnsafe deserialization of attacker-controlled data
Vulnerable endpoints/PSEMHUB/hub · /PSIGW/HttpListeningConnector
Authentication requiredNone
ImpactRemote code execution; demonstrated data exfiltration
Patch availabilityOracle Security Alert, June 10, 2026
Patching alone does not answer the compromise question

Because exploitation preceded the patch by two weeks, applying the fix closes the door but tells you nothing about whether someone already walked through it. Any estate running PeopleTools 8.61 or 8.62 that was reachable from untrusted networks between May 27 and June 10 warrants a compromise assessment, not just a patch record.

RESPONSE

Immediate Action Plan

Ordered for an estate that has not yet patched. If you applied the June 10 fix on release, start at step 4.

STEP 1 — PATCH
Apply the June 10 Oracle Security Alert patch

Oracle characterises this as emergency risk reduction. Do not wait for the July 21 cumulative CPU. PeopleTools 8.61 and 8.62 both have fixes available.

STEP 2 — RESTRICT
Cut off reachability to the vulnerable endpoints

If you cannot patch immediately, disable the Environment Management Hub service and block external access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector. These are compensating controls, not a fix.

STEP 3 — HUNT
Look for evidence of prior exploitation

Monitor and retrospectively review outbound SMB traffic on port 445 and requests to the PSEMHUB endpoint across the May 27 – June 10 window. Absence of alerts is not absence of compromise when no signature existed at the time.

STEP 4 — VALIDATE
Regression-test integration and identity flows

The patch touches the integration gateway and environment management paths. Validate inbound/outbound integration messaging, SSO, and any middleware routing that traverses PSIGW before declaring the change complete.

FAQ

CVE-2026-35273 FAQs

What is CVE-2026-35273?

CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools, rated CVSS 9.8. It stems from a server-side request forgery weakness (CWE-918) caused by unsafe deserialization of attacker-controlled data sent to the Environment Management Hub endpoint.

Which PeopleTools versions are affected?

PeopleTools 8.61 and 8.62. Oracle released fixes for both in an out-of-band Security Alert on June 10, 2026.

Is CVE-2026-35273 being exploited in the wild?

Yes. Mandiant confirmed zero-day exploitation between May 27 and June 9, 2026 — approximately two weeks before Oracle's advisory. CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 12, 2026.

Who is behind the CVE-2026-35273 attacks?

The campaign is attributed to UNC6240, the financially motivated threat group publicly known as ShinyHunters. It heavily targeted higher education: 68% of the 100-plus notified organisations were universities and colleges. Stolen data was published on the group's leak site beginning June 9, 2026.

What if we cannot patch immediately?

Apply compensating controls: disable the Environment Management Hub service, block external access to the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints, and monitor outbound SMB traffic on port 445. These reduce reachability but do not remediate the vulnerability — the patch remains necessary.

Does the July 2026 CPU cover CVE-2026-35273?

The quarterly CPU on July 21, 2026 is cumulative and includes prior fixes. However, waiting for it means leaving an actively exploited, unauthenticated RCE open for weeks. Oracle issued this fix out-of-band precisely so customers would not wait for the quarterly cycle.

Are Oracle Fusion Cloud customers affected?

This vulnerability is specific to PeopleSoft Enterprise PeopleTools, not Oracle Fusion Cloud Applications. Organisations running both — common in higher education and public sector — should confirm their PeopleSoft estate separately, since Fusion Cloud patching cadence tells you nothing about PeopleTools exposure.

Know Your Oracle Patch Exposure Before the Next Zero-Day

SyntraFlow Release Intelligence maps every Oracle security advisory against your actual environment and auto-composes the regression packs needed to validate each patch — so emergency patching does not mean unplanned downtime.

Release Intelligence Separately-licensed SyntraFlow module

How SyntraFlow Release Intelligence Works

Release Intelligence is a SyntraFlow module that is licensed and priced separately from the core SyntraFlow test automation platform. It pinpoints exactly what each Oracle Fusion quarterly release or critical patch will affect in your tenant — and produces the test scenarios needed to validate it. The workflow runs in five connected steps:

  1. Connects to your Oracle Fusion environment. A secure read-only connection to your live Oracle Fusion tenant ingests setup data, security model, and live transactions — no manual exports, no spreadsheets.
  2. Scans your complete configuration with Config Intelligence. Config Intelligence snapshots every setup object (FSM tasks, profile options, BPM rules, descriptive flexfields, security policies) and compares it against the incoming release.
  3. Reads master & transaction data via DataVault. DataVault profiles your real master data and live transactions so impact analysis is grounded in what your business actually runs — not generic Oracle samples.
  4. Produces a detail-level Impact Map. Cross-references the release notes against your configuration and data to highlight which features, flows, integrations, and reports are at risk — down to the line-level setting or seeded role that changed. See Release Impact Analysis.
  5. Generates test scenarios & remediation report. Outputs ready-to-execute test cases targeting each impacted area, plus a remediation report with the exact steps to update your setup or data so the patch goes live with minimum disruption. Run them with Patch Testing Automation.

Licensing note: Release Intelligence is a standalone SyntraFlow module available as its own subscription, or as an add-on to the SyntraFlow test automation platform. Pricing is separate from the core platform — contact us for module pricing and bundling options.