CVE-2026-35273
Confirmed PUBLISHEDVulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions...
4 hours faster than CISA KEV
Recommended Action
Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
At a Glance
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CVE Published
- Jun 11, 2026
- Exploitation Reported
- Jun 11, 2026
- CVSS
- 9.8 Critical
- EPSS
- 92.3%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Oracle Corporation |
PeopleSoft Enterprise PeopleTools
|
8.61 |
Affected |
| Oracle Corporation |
PeopleSoft Enterprise PeopleTools
|
8.62 |
Affected |
KEVIntel Analysis Notes
Analyst-curated context on exploitation evidence and operational relevance.
CVE References
- Oracle Advisory oracle.com · Vendor Advisory https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
Recommended Actions
- Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
- Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| BleepingComputer First | 2026-06-11 20:20 UTC |
| CISA | 2026-06-12 00:00 UTC |
| Rapid7 | 2026-06-12 14:20 UTC |
| CVE | 2026-06-12 18:01 UTC |
| All CISA Advisories | 2026-06-12 18:20 UTC |
| KEVIntel | 2026-06-14 13:47 UTC |
| Tenable Blog | 2026-06-18 10:20 UTC |
| The Shadowserver | 2026-07-10 00:00 UTC |
Operational indicators for this CVE are listed on the Detection tab.
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts Observed
- 633
- Unique Attacker IPs
- 84
- Attacker Countries
- 🇧🇬 🇨🇦 🇨🇳 🇩🇪 🇩🇰 🇪🇬 🇪🇸 🇫🇷 🇬🇧 🇭🇰 🇮🇩 🇮🇳 🇯🇵 🇰🇷 🇳🇱 🇳🇴 🇵🇱 🇷🇴 🇸🇨 🇸🇬 🇹🇭 🇹🇱 🇹🇼 🇺🇸 🇻🇳
- Sensors Observed
- 4
Exploitation Attempts Over the Last 37 Days
First observed (all time) 2026-06-14 13:47 UTC · Last observed 2026-07-19 02:12 UTC
See more exploitation detail
- Pro — sensor software/region breakdown and 24h/7d window summaries.
- Enterprise — raw attacker IPs, request paths, User-Agents, and payloads.
Indicators of Compromise (IoCs)
Attacker IP IoCs observed in KEVIntel sensors are available to Pro and Enterprise accounts on the Detection tab and through the Pro API.
Learn about Pro API accessObserved Detection Signals (30d)
Aggregate counts from KEVIntel sensor telemetry for this CVE.
- Distinct request paths
- 5
- Distinct User-Agents
- 41
The specific request paths and User-Agents attackers are using are available on Pro and Enterprise plans.
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-35273.yaml | Jun 19, 2026 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
Supported Platforms
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
GET /api/v2/enterprise/virtual_patches?cve_id=CVE-2026-35273
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-11 20:20:23 UTC · BleepingComputer
Active exploitation observed
Recorded 2026-06-14 13:47:18 UTC · KEVIntel sensor
Used in malware
Recorded 2026-06-12 00:00:00 UTC · BleepingComputer
Proof of concept available
Recorded 2026-06-12 01:51:19 UTC · GitHub
Weaknesses (CWE)
-
Missing Authentication for Critical Function
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-35273.yaml | Jun 19, 2026 |
Recent Mentions
Zero Day Initiative Published Advisories · Jun 24, 2026
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle PeopleSoft. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-35273.
Zero Day Initiative Published Advisories · Jun 24, 2026
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle PeopleSoft. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-35273.
Zero Day Initiative Published Advisories · Jun 24, 2026
This vulnerability allows remote attackers to initiate arbitrary server-side requests on affected installations of Oracle PeopleSoft. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.3. The following CVEs are assigned: CVE-2026-35273.
Tenable Blog · Jun 18, 2026
Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates.Key TakeawaysThe June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates122 issues (49.8% of all patches) were assigned a critical severity ratingOracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patchesBackgroundOn June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 243 unique CVEs in 245 security updates across 11 Oracle product families. Out of the 245 security updates published, 49.8% of patches were assigned a critical severity. Critical severity patches accounted for the bulk of security patches at 49.8%, followed by high severity patches at 42.4%.This month's update includes 122 critical patches across 122 CVEs.SeverityIssues PatchedCVEsCritical122122High104102Medium1515Low44Total245243AnalysisThis month's update saw the Oracle Fusion Middleware product family contain the highest number of patches at 106, accounting for 43.3% of the total patches, followed by Oracle E-Business Suite at 55 patches, which accounted for 22.4% of the total patches.A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Fusion Middleware10653Oracle E-Business Suite556Oracle JD Edwards2012Oracle Enterprise Manager166Oracle Siebel CRM127Oracle PeopleSoft117Oracle Virtualization100Oracle MySQL84Oracle Communications33Oracle Systems31Oracle Supply Chain11Oracle PeopleSoft zero-day exploitedOn...
CyberInsider · Jun 12, 2026
Google's Mandiant and Google Threat Intelligence Group (GTIG) say the ShinyHunters extortion group exploited a critical Oracle PeopleSoft vulnerability as a zero-day to compromise education institutes. The activity, tracked as UNC6240, was observed between May 27 and June 9 and involved exploitation of CVE-2026-35273, a critical remote code execution flaw in the Environment Management component … The post Google warns of Oracle PeopleSoft attacks hitting universities appeared first on CyberInsider.
Rapid7 · Jun 12, 2026
OverviewOn June 10, 2026, Oracle published a security alert for CVE-2026-35273, a critical vulnerability in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. Oracle released an out-of-band patch the same day as the advisory, underscoring the urgency of remediation. The vulnerability has a CVSSv3.1 score of 9.8 and is remotely exploitable without authentication. Per the vendor advisory, successful exploitation may result in remote code execution (RCE). TrendAI has classified the underlying flaw as a server-side request forgery (CWE-918). PeopleTools versions 8.61 and 8.62 are affected.CVE-2026-35273 was reported to Oracle through TrendAI's Zero Day Initiative. According to a report published by Mandiant on June 11, 2026, this vulnerability has been exploited in the wild as a zero-day prior to the vendor security alert, with active exploitation observed between May 27 and June 9, 2026, predating Oracle's advisory by two weeks.Mandiant has attributed the campaign to UNC6240 (ShinyHunters), a financially motivated cybercriminal collective known for data theft and extortion. ShinyHunters has been linked to breaches across cloud services, SaaS platforms, and telecommunications providers, frequently exploiting weak authentication controls, stolen credentials, and cloud misconfigurations rather than deploying sophisticated malware.Based on information published by Mandiant, the campaign heavily targeted the higher education sector; 68 percent of the more than 100 notified organizations were universities and colleges. The observed exploitation targeted PeopleSoft's Environment Management Hub (PSEMHUB) endpoints, and data stolen during the campaign was published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.The /PSIGW/HttpListeningConnector URI path appears in both the indicators of compromise for this campaign and in a PeopleSoft exploit chain for CVE-2013-3821, detailed by Lexfo in 2017. A related XML External Entity (XXE)...
All CISA Advisories · Jun 12, 2026
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies, updating BOD 22-01. BOD 26-04 reinforces the importance of the KEV catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied. While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. Aware of an exploited vulnerability not currently listed in the KEV catalog? Submit for potential addition: KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.
TheHackerNews · Jun 11, 2026
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest. Google's Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a
DarkWebInformer · Jun 11, 2026
CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. Rated CVSS 9.8, the flaw affects PeopleTools versions 8.61 and 8.62 and requires immediate mitigation.
BleepingComputer · Jun 11, 2026
Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks. [...]
Google Threat Intelligence · Jun 11, 2026
Introduction Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component. The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day. Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Most of these organizations were based in the United States, and 68 percent operated within the higher education sector. Subsequently, public reports by @nahamike01 on X highlighted open attacker directories on the staging servers, allowing GTIG to perform a detailed triage of the threat actor's operations. The attacker staging environments hosted customized MeshCentral agents masquerading as legitimate cloud endpoints, which they used to run administrative command queries and deploy a custom lateral movement and defacement script, [victim_abbreviation]_fanout.sh. This campaign directly correlates with subsequent data leaks of stolen organization data published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026. We recommend that organizations running Oracle PeopleSoft take the following immediate actions to best defend themselves. Additional remediation and hardening guidance is included later in this post. aside_block ), ('btn_text', ''), ('href', ''), ('image', None)])]> Threat Detail & Campaign Overview On June 9 2026, public threat reports highlighted open attacker directories. GTIG...
Oracle Security Alerts · Jun 11, 2026
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-06-26 05:21:08 UTC · 0 stars
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:00 UTC 9 days ago00:00 UTC · 9 days ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
14:21 UTC 27 days ago14:21 UTC · 27 days ago
Virtual patch available
Compensating WAF rule available to block exploitation
-
04:30 UTC about 1 month ago04:30 UTC · about 1 month ago
Nuclei template available
Scanner coverage available
-
10:20 UTC about 1 month ago10:20 UTC · about 1 month ago
KEV confirmed by Tenable Blog
Exploitation attested by an external source
-
13:47 UTC about 1 month ago13:47 UTC · about 1 month ago
Observed by KEVIntel sensors
Evidence-backed exploitation signal
-
13:47 UTC about 1 month ago13:47 UTC · about 1 month ago
Indicators of compromise added (83)
Indicators of compromise recorded
-
18:20 UTC about 1 month ago18:20 UTC · about 1 month ago
KEV confirmed by All CISA Advisories
Exploitation attested by an external source
-
18:01 UTC about 1 month ago18:01 UTC · about 1 month ago
KEV confirmed by CVE
Exploitation attested by an external source
-
14:20 UTC about 1 month ago14:20 UTC · about 1 month ago
KEV confirmed by Rapid7
Exploitation attested by an external source
-
01:51 UTC about 1 month ago01:51 UTC · about 1 month ago
Public PoC available
Public proof-of-concept code published
-
00:00 UTC about 1 month ago00:00 UTC · about 1 month ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
00:00 UTC about 1 month ago00:00 UTC · about 1 month ago
First public exploitation report
Exploit observed in malware
-
20:20 UTC about 1 month ago20:20 UTC · about 1 month ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
02:25 UTC about 1 month ago02:25 UTC · about 1 month ago
CVE published
Vulnerability disclosed publicly
-
20:03 UTC 4 months ago20:03 UTC · 4 months ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-35273
{
"cve_id": "CVE-2026-35273",
"title": "Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle Peop...",
"affected_vendor": "Oracle Corporation",
"affected_product": "PeopleSoft Enterprise PeopleTools",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.8,
"epss_score": 0.9233,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": true
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}