Uncategorized

CVE-2026-35273: Active Exploitation of Oracle PeopleSoft Zero-Day Vulnerability

5 min read Updated

Oracle has disclosed CVE-2026-35273, a critical vulnerability in PeopleSoft Enterprise PeopleTools that has already been exploited by threat actors. The vulnerability allows unauthenticated attackers to remotely compromise vulnerable systems and potentially achieve remote code execution, putting exposed PeopleSoft environments at immediate risk.

What makes this vulnerability especially concerning is that attackers exploited it as a zero-day before Oracle released a patch. Security researchers observed attacks for nearly two weeks prior to public disclosure, highlighting how quickly threat actors can weaponize vulnerabilities in widely used enterprise applications.

The attacks have been linked to the financially motivated ShinyHunters group, which primarily targeted universities and colleges. Successful intrusions resulted in data theft, persistence deployment, and extortion attempts, demonstrating the real-world impact of this vulnerability.

Risk Analysis

What is CVE-2026-35273?

Severity
Critical

CVSS v3.1 Score
9.8

Exploitation Complexity
Low

Exploit Publicly Available
Yes

Attack Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2026-35273 is a critical vulnerability affecting Oracle PeopleSoft Enterprise PeopleTools versions 8.61.x and 8.62.x. Oracle assigned the vulnerability a CVSS score of 9.8, indicating that it can be exploited remotely without authentication or user interaction.

According to threat intelligence reports, attackers exploited CVE-2026-35273 between May 27 and June 9, 2026, before Oracle publicly disclosed the vulnerability.

The vulnerability has been classified as a Server-Side Request Forgery (SSRF) vulnerability. It exposed PeopleSoft Integration Broker and Environment Management components. Improper validation of server-side requests allows attackers to interact with internal services through the PeopleSoft application server that can be leveraged to achieve Remote Code Execution (RCE). As a result, internet-facing PeopleSoft environments are at significant risk.

Successful exploitation allows attackers to send crafted requests through vulnerable PeopleSoft components and execute arbitrary code on the underlying server. This could enable a remote attacker to take control of a system without valid credentials.

Oracle released an out-of-band security update on June 10, 2026, following reports of active exploitation. Given the critical severity and confirmed attacks targeting vulnerable systems, organizations should prioritize patching affected systems and investigating indicators of compromise.

The rapid weaponization of the vulnerability highlights a growing trend where enterprise software vulnerabilities are exploited within days or even weeks before official security advisories become available.

Technical Analysis

How CVE-2026-35273 Works: SSRF to RCE Attack Chain

Security researchers have described CVE-2026-35273 as an SSRF-to-RCE vulnerability chain.

Server-Side Request Forgery vulnerabilities occur when attackers can manipulate a server into making requests on their behalf. In many cases, SSRF vulnerabilities are used to access internal services, cloud metadata endpoints, or otherwise inaccessible resources.

In the case of CVE-2026-35273, the SSRF capability appears to act as the initial stage of a broader exploitation chain that ultimately enables remote code execution.

Researchers identified two PeopleSoft endpoints that play a central role in exploitation:

  • /PSEMHUB/hub
  • /PSIGW/HttpListeningConnector

These components are associated with PeopleSoft’s Environment Management infrastructure and Integration Gateway functionality. Attackers leveraged these exposed interfaces to execute the attack chain and gain unauthorized access to targeted environments.

The involvement of these management components is significant because administrative and integration services often operate with elevated privileges and broad access across enterprise environments.

Credential Exposure

SMB-Based Credential Exposure Risks

Researchers observed that exploitation attempts may trigger outbound SMB (Server Message Block) connections from vulnerable servers. This behavior introduces an additional security concern beyond remote code execution. When a vulnerable server initiates outbound SMB connections, attackers may be able to capture Windows machine-account NetNTLM hashes.

Captured authentication material can potentially be used in relay attacks, credential abuse, or further lateral movement activities.

Organizations that permit unrestricted outbound SMB traffic from application servers face increased risk during exploitation attempts and should review network controls as part of their mitigation strategy.

Threat Intelligence

Post-Exploitation Activity Following Initial Access

Activity 01

Persistence via Remote Management Agents

Researchers observed several post-exploitation activities after the initial compromise. In multiple incidents, attackers deployed MeshCentral remote management agents to maintain access to affected systems. Some of these tools were disguised as Microsoft Azure-related services.

By presenting the software as legitimate administrative components, attackers reduced the likelihood of immediate detection.

Activity 02

Internal Reconnaissance and Lateral Movement

Investigators also observed internal reconnaissance activity as attackers searched for additional systems and accounts within the environment. Evidence of lateral movement suggested attempts to extend access beyond the compromised PeopleSoft server.

Activity 03

Data Exfiltration

Researchers further observed data exfiltration activity. The stolen data was compressed before being transferred from victim environments, indicating a structured effort to collect and remove information after gaining access.

Detection

How to Detect CVE-2026-35273 Exploitation

Detecting exploitation requires reviewing network, host, and application logs for signs of unauthorized activity.

HTTP POST requests targeting PeopleSoft Environment Management and Integration Gateway endpoints should be investigated, particularly when requests contain localhost references, loopback addresses, or internal IP ranges. Such requests may indicate attempts to abuse the SSRF vulnerability.

On affected systems, administrators should look for unexpected JSP files, recently created directories, modified XML files, and other unauthorized changes within PeopleSoft application directories. The presence of remote management tools, unfamiliar scheduled tasks, or unusual outbound connections may point to follow-on activity after the initial compromise.

Organizations should also review outbound SMB traffic from PeopleSoft servers, especially connections to external or untrusted systems. Since attacks were observed before Oracle released a security update, reviewing historical logs can help determine whether exploitation occurred before patching and whether further investigation is required.

Mitigation

How to Mitigate CVE-2026-35273

Organizations running PeopleTools versions 8.61 or 8.62 should apply Oracle’s security update immediately. Given the confirmed exploitation of this vulnerability, delaying remediation increases the risk of unauthorized access and system compromise.

Step 01

Apply Oracle’s Security Update

Apply Oracle’s out-of-band security update released on June 10, 2026. Organizations running PeopleTools versions 8.61 or 8.62 should treat this as an emergency patch given confirmed active exploitation.

Step 02

Review and Disable EMHub Where Not Required

Organizations should also review whether the Environment Management Hub (EMHub) service is required. Oracle recommends disabling the service in multi-server deployments or removing the PSEMHUB application in single-server environments where it is not needed.

Step 03

Restrict Access to Vulnerable Endpoints

Access to /PSEMHUB/* and /PSIGW/HttpListeningConnector should be restricted from untrusted networks. Security teams should also monitor outbound SMB traffic from PeopleSoft servers and investigate unexpected connections to external systems.

Step 04

Conduct a Post-Patch Compromise Assessment

Because exploitation was observed before Oracle released a patch, organizations should conduct a compromise assessment after remediation. This review should include web application directories, recently modified files, unexpected JSP files, unauthorized directories, outbound network connections, and other indicators associated with the reported attacks.

AppTrana Protection

How AppTrana Reduces Exposure to CVE-2026-35273

AppTrana helps protect against exploitation attempts associated with CVE-2026-35273 by detecting and blocking malicious requests targeting vulnerable PeopleSoft endpoints, including SSRF and remote code execution attack patterns. It also provides continuous traffic monitoring and managed virtual patching capabilities, helping organizations reduce exposure to active attacks while applying Oracle’s recommended security updates.

The screenshots below show AppTrana successfully detecting and blocking CVE-2026-35273 exploitation attempts, returning an HTTP 406 (Not Acceptable) response:

AppTrana blocking exploit attempt on /psemhub/hub endpoint, CVE-2026-35273
AppTrana blocking exploit attempt on /PSIGW/HttpListeningConnector endpoint, CVE-2026-35273
Nikita Waghole
Nikita Waghole

Nikita is a Cyber Security Researcher specializing in Web Application Firewall (WAF) technologies and web threat detection. She has hands-on experience in analysing traffic, identifying attack patterns, and developing security rules. she plays a key role in strengthening application security and mitigating real-world attacks. She focuses on vulnerability analysis, false positive tuning, and strengthening application security against real-world threats. She actively investigates emerging threats, including zero-day vulnerabilities and automated attack patterns, ensuring robust protection for modern web applications. Passionate about cybersecurity, Nikita continuously enhances her skills to build more effective and reliable defence mechanisms.