Oracle has issued an emergency out-of-band Security Alert for a critical unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools, tracked as CVE-2026-35273 with a CVSS score of 9.8. The flaw resides in the Environment Management component (PSEMHUB) and allows a remote, unauthenticated attacker with HTTP/HTTPS access to fully compromise the underlying server, with no user interaction required. Google Mandiant has confirmed active zero-day exploitation between 27 May and 9 June 2026, prior to Oracle’s public disclosure on 10 June 2026. The ShinyHunters extortion group (tracked by Mandiant as UNC6240) has claimed responsibility for breaching more than 100 organisations across approximately 300 vulnerable PeopleSoft instances, with universities accounting for the majority of victims, including the theft of student personal data, billing records, and academic records. Oracle has released emergency mitigation guidance but has not yet issued a full patch. PeopleTools versions 8.61 and 8.62 are confirmed to be affected. UAE and MENA organisations running Oracle PeopleSoft must apply the emergency mitigations immediately and treat any internet-facing PeopleSoft Environment Management Hub as a critical exposure.
CVE-2026-35273 is a missing authentication check (CWE-306) in the Environment Management component of Oracle PeopleSoft Enterprise PeopleTools, specifically affecting the Environment Management Hub (PSEMHUB). The flaw allows a remote attacker to send crafted HTTP/HTTPS requests to the exposed component without any authentication, ultimately achieving arbitrary remote code execution on the underlying application server. Because PSEMHUB is often reachable from external networks in default or legacy configurations, any internet-facing PeopleSoft instance running PeopleTools 8.61 or 8.62 is directly exposed to full system takeover.
ShinyHunters (UNC6240) reportedly chained this zero-day with other older flaws in a multi-step gadget chain to achieve full server compromise, after which they exfiltrated databases containing personal records, billing information, and academic records from victim PeopleSoft environments. Part of the attack chain also generates outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations. This activity is believed to be used to capture machine-account NetNTLM hashes for further lateral movement. Oracle has confirmed the affected versions as PeopleTools 8.61 and 8.62, with PeopleSoft Enterprise Applications also potentially impacted.
Exploitation Demonstration:
Ease of Exploitation:
CVE-2026-35273 is rated as one of the most easily exploitable critical flaws of 2026. It requires no authentication, no credentials, and no user interaction; an attacker only needs network access to the PeopleSoft Environment Management Hub over HTTP or HTTPS to achieve full remote code execution. Mandiant CTO Charles Carmakal confirmed the gadget-chain attack path and noted that this was one of two zero-days being actively exploited in the wild at the time of disclosure. ShinyHunters has demonstrated mass exploitation capability, breaching more than 100 organisations across approximately 300 instances in under two weeks before the vulnerability was publicly disclosed. UAE and MENA organisations running Oracle PeopleSoft as core ERP, HR, or campus management platforms must treat this as an emergency event.
Conclusion:
CVE-2026-35273 represents a critical, actively exploited threat to any organisation running Oracle PeopleSoft Enterprise PeopleTools 8.61 or 8.62 with internet-facing Environment Management components. The combination of zero-day exploitation, the absence of authentication requirements, full remote code execution, and confirmed mass-breach activity by ShinyHunters means that any exposed PeopleSoft instance should be assumed compromised until verified otherwise. IT Security and PeopleSoft administration teams must coordinate emergency action to block external access to PSEMHUB, apply Oracle's mitigation guidance, and monitor for indicators of compromise as the highest priority during this cycle.
Successful exploitation of CVE-2026-35273 allows an unauthenticated attacker to achieve full remote code execution on the PeopleSoft application server, resulting in the complete compromise of confidentiality, integrity, and availability. For UAE and MENA organisations running Oracle PeopleSoft for HR, finance, campus management, or supply chain operations, this represents a risk of complete system takeover, mass exfiltration of personal, financial, and academic records, extortion demands, and operational disruption. UAE PDPL breach-notification obligations may be triggered if personal data stored within PeopleSoft is compromised. NCA ECC mandatory incident-reporting requirements apply to critical infrastructure operators running affected PeopleSoft systems.
https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html