Oracle PeopleSoft Enterprise PeopleTools has been hit by a CVSS 9.8-rated critical zero-day vulnerability (CVE-2026-35273) that allows unauthenticated attackers to achieve full system takeover, already weaponized by the ShinyHunters threat group to breach over 100 organizations globally.
CVE-2026-35273 is a missing-authentication vulnerability (CWE-306) in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.
The flaw is classified as “easily exploitable,” enabling any unauthenticated attacker with network access via HTTP to fully compromise PeopleSoft environments, no credentials, no user interaction, no elevated privileges required.
Oracle’s CVSS 3.1 Base Score stands at 9.8 (Critical) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting maximum impact on confidentiality, integrity, and availability.
The vulnerability was published on June 11, 2026, and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on June 12, 2026, with a mandatory remediation due date of June 15, 2026 a critically tight 72-hour remediation window that signals active, in-the-wild exploitation at the time of cataloging.
The exploitation of CVE-2026-35273 is not theoretical it is an active, ongoing mass-compromise operation. Between May 27 and June 9, 2026.
The notorious cybercrime group ShinyHunters exploited this zero-day as part of a “gadget chain” attack combining older PeopleSoft vulnerabilities with CVE-2026-35273 to gain initial access to both on-premises and cloud PeopleSoft instances.
A ShinyHunters member confirmed to TechCrunch that the gang directly leveraged this unpatched flaw to breach organizations before Oracle had issued a fix.
Google’s Mandiant (Google Threat Intelligence Group / GTIG) confirmed and disclosed that more than 100 global organizations were impacted, with approximately 68% of victims in the higher education sector, universities and colleges predominantly located in the United States.
Sensitive data exfiltrated included student records, employee data, and payroll information, which ShinyHunters subsequently used to make extortion demands. Mandiant proactively notified affected organizations and urged them to implement immediate network access restrictions.
CVE-2026-35273 exploits the absence of an authentication gate protecting a critical function within PeopleSoft’s Updates Environment Management subsystem, the component responsible for managing patches and environment configurations within PeopleSoft deployments.
Under normal security design, this function should require elevated credentials; however, due to CWE-306 (Missing Authentication for Critical Function), the endpoint is fully reachable over HTTP without any prior authentication.
Attackers exploit this pathway to inject commands or manipulate configurations, leading to remote code execution (RCE) and granting complete control over the PeopleSoft instance.
ShinyHunters further combined this zero-day with a “gadget chain” of previously known PeopleSoft vulnerabilities, effectively weaponizing the attack chain to maximize exploitation success against both on-premise and cloud-hosted deployments. The attack requires no user interaction and is low-complexity, making mass automated exploitation feasible at scale.
Affected Versions
Oracle has issued an out-of-band security alert a rare emergency patch release outside its standard quarterly Critical Patch Update (CPU) cycle underscoring the severity of active exploitation. The following versions are confirmed affected:
| Product | Component | Affected Versions |
|---|---|---|
| PeopleSoft Enterprise PeopleTools | Updates Environment Management | 8.61, 8.62 |
Oracle’s patch is available via Oracle Support under Patch Availability Document ID: CPU187. Organizations on earlier, unsupported versions of PeopleTools must urgently upgrade to a supported version and then apply the patch.
CISA has added CVE-2026-35273 to its KEV catalog and invoked Binding Operational Directive (BOD) 26-04, the agency’s new risk-based vulnerability prioritization framework released in June 2026.
BOD 26-04 replaces and consolidates older directives (BOD 19-02 and BOD 22-01), requiring federal agencies to assess vulnerabilities based on four critical risk signals: asset internet exposure, KEV catalog status, exploit automation potential, and post-exploitation technical impact.
Given that CVE-2026-35273 scores critically on all four axes, it is internet-accessible, actively exploited, easily automated, and results in full system takeover; it has been assigned the highest remediation urgency under BOD 26-04.
Federal agencies must also adhere to CISA’s “Forensics Triage Requirements” prior to patching, ensuring that any pre-existing compromise is identified and contained before applying mitigations.
For organizations using cloud-based PeopleSoft deployments, BOD 26-04 provides specific cloud guidance, and for any organization unable to apply mitigations, CISA mandates discontinuation of the product.
Mitigations
Organizations running Oracle PeopleSoft Enterprise PeopleTools 8.61 or 8.62 should take the following immediate actions:
- Apply the out-of-band patch immediately via Oracle Support (Document ID: CPU187)
- Restrict HTTP access to PeopleSoft environments from untrusted or external networks as a compensating control
- Review network segmentation and ensure PeopleSoft servers are not directly internet-exposed
- Enable anomalous activity monitoring and audit logs for the Updates Environment Management component
- Conduct forensic triage per CISA’s BOD 26-04 requirements to identify any prior unauthorized access before patching
- Escalate to supported versions if currently running PeopleTools below 8.61, as unsupported versions may also be at risk
FAQ
Q1: What is CVE-2026-35273?
It is a CVSS 9.8 critical missing authentication vulnerability in Oracle PeopleSoft PeopleTools 8.61/8.62 that allows unauthenticated remote attackers to take over the system.
Q2: Who is exploiting CVE-2026-35273?
The ShinyHunters cybercrime and ransomware group actively exploited this zero-day between May 27 and June 9, 2026, breaching 100+ organizations globally.
Q3: Which organizations are most at risk from this vulnerability?
Any enterprise using Oracle PeopleSoft PeopleTools versions 8.61 or 8.62, particularly higher education institutions, HR, and payroll platforms exposed to the internet.
Q4: What is the CISA patching deadline for CVE-2026-35273?
CISA’s BOD 26-04 mandates remediation by June 15, 2026 apply Oracle’s out-of-band patch (CPU187) or discontinue use if mitigations are unavailable.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
