CVE-2026-35273

Confirmed PUBLISHED

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions...

Oracle Corporation · PeopleSoft Enterprise PeopleTools

4 hours faster than CISA KEV

Exploited in the wild Active exploitation observed Used in malware PoC available Virtual patch available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
633
Unique Attacker IPs
84
CISA KEV
In CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
9.8 Critical EPSS 92.3%

At a Glance

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

malware cisa nuclei_scanner
CVE Published
Jun 11, 2026
Exploitation Reported
Jun 11, 2026
CVSS
9.8 Critical
EPSS
92.3%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Oracle Corporation
PeopleSoft Enterprise PeopleTools

8.61

Affected
Oracle Corporation
PeopleSoft Enterprise PeopleTools

8.62

Affected

KEVIntel Analysis Notes

Analyst-curated context on exploitation evidence and operational relevance.

Based on KEVIntel honeypot logs and the Mandiant report, we believe this is potentially the CVE-2026-35273 activity chain. Actors typically spray two parallel vectors in the same session; neither is proven to depend on the other. 1. Primary vector — PSEMHUB update-source poisoning (CVE-2026-35273) Attacker sends POST /PSEMHUB/hub with environment-management actions (updateEnvironment, fetchEnvironment, syncEnvironment) and an attacker-controlled sourceURL (e.g. hxxp://attacker_ip:9999/hub_update). 1.1 The hub fetches and processes environment metadata/updates from that sourceURL (missing authentication on this operation). 1.2 Malicious content is staged on disk under PSEMHUB.war/envmetadata/ (transactions, environment XML). 1.3 RCE follows when that content is processed. Mandiant observed XMLDecoder abuse via envmetadata/data/environment/*.xml on app restart, plus unexpected .jsp webshells. Weaponized content is usually hosted at sourceURL, not embedded as shellcode in the POST body. The HTTP request is the trigger. 2. Alternate / parallel vector — Integration Broker SSRF POST /PSIGW/HttpListeningConnector with loopback or internal targets. This is a separate Integration Broker SSRF primitive, often fired alongside vector 1 in automated PoC spray. It is not required after PSEMHUB RCE. Payloads seen in the wild include: EnvironmentManagement XML (often sprayed to both /PSEMHUB/hub and /PSIGW/HttpListeningConnector): <Envelope><Body><EnvironmentManagement> <sourceURL>hxxp://127.0.0.1:7001/console</sourceURL> </EnvironmentManagement></Body></Envelope> IBRequest / HttpTargetConnector (Integration Broker native SSRF gadget) with URL and Method connector parameters — e.g. POST to hxxp://127.0.0.1:8000/PSEMHUB/hub with minimal body content. PoCs may label the operation CVE-2026-35273 in ExternalOperationName; that reflects campaign tooling, not proof that PSIGW SSRF is the same CVE as PSEMHUB. Common SSRF targets include: - WebLogic admin console (127[.]0.0.1:7001/console) - Internal PeopleSoft services (127[.]0.0.1:51500/pspc/services/AdminService) - Cloud metadata endpoint (169[.]254.169.254) - Internal PSEMHUB hub (127[.]0.0.1:<port>/PSEMHUB/hub) — PSIGW used to reach hub on loopback when it is not directly exposed; may be probing or partial delivery, not a full hubAction + sourceURL chain by itself

CVE References

  • Oracle Advisory oracle.com · Vendor Advisory https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.