The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include a critical security flaw affecting Oracle PeopleSoft Enterprise PeopleTools. The vulnerability, identified as CVE-2026-35273, carries a high severity rating with a CVSS score of 9.8.
Oracle PeopleSoft Enterprise PeopleTools serves as the foundational framework used to develop, deploy, manage, and customize PeopleSoft applications across enterprise environments. Due to its central role in application infrastructure, vulnerabilities within this platform can have significant security implications.
CVE-2026-35273 is a remote code execution (RCE) vulnerability located in the Environment Management component of PeopleTools. The flaw is particularly severe because it can be exploited remotely without requiring authentication or user interaction. Any attacker with network access to the Environment Management Hub (PSEMHUB) endpoint can leverage this issue to gain full control of the affected server.
Threat intelligence findings indicate that this vulnerability has already been exploited in real-world attacks. An investigation by Mandiant and Google’s Threat Intelligence Group (GTIG) uncovered an ongoing campaign attributed to the threat actor group known as ShinyHunters (UNC6240). According to their analysis, the group actively targeted Oracle PeopleSoft infrastructures between May 27 and June 9, 2026 prior to Oracle publicly disclosing the vulnerability on June 10. As a result, impacted organizations were dealing with a true zero-day vulnerability, with no available patches or official security guidance during that period.
The campaign disproportionately affected educational institutions, with approximately 68% of the more than 100 identified victims being universities and colleges, primarily based in the United States.
Further investigation revealed operational security gaps on the attackers’ side, which provided researchers with detailed insight into the campaign. Analysts discovered exposed infrastructure consisting of multiple internet-facing servers running Python-based services. These servers contained shared command history files that documented the attackers’ activities step by step, including tool deployment, system reconnaissance, and lateral movement techniques.
The attackers deployed MeshCentral, a legitimate open-source remote management tool, disguising its components as Microsoft Azure-related services to avoid suspicion. These agents were configured to communicate with attacker-controlled command-and-control (C2) servers using encrypted connections, enabling remote access and control of compromised systems while blending with normal network traffic.
Through the use of automated scripts, attackers moved laterally within victim environments by identifying additional PeopleSoft nodes and attempting credential-based access. Once access was gained, they deployed files signaling compromise and facilitating further propagation. Data exfiltration was conducted using compressed archives, which were transmitted to remote servers associated with the attackers’ infrastructure.
One confirmed victim of this campaign was the University of Nottingham. Public breach data indicates that hundreds of thousands of records were compromised, including sensitive personal information such as email addresses, contact details, identification numbers, and other personal attributes.
In response to the vulnerability, Oracle confirmed that PeopleTools versions 8.61 and 8.62 are affected, while earlier unsupported versions are also likely vulnerable.
Organizations currently running Oracle PeopleSoft are strongly advised to act immediately to reduce risk exposure. Recommended mitigation measures include disabling the Environment Management Hub service in multi-server environments or removing the PSEMHUB application in single-server deployments. Where these steps cannot be performed, restricting external access to critical endpoints such as /PSEMHUB/* and /PSIGW/HttpListeningConnector is strongly advised.
Under Binding Operational Directive (BOD) 22-01, which mandates remediation of vulnerabilities actively exploited in the wild, Federal Civilian Executive Branch (FCEB) agencies are required to address this issue within the prescribed timeline. The directive aims to minimize exposure to known threats across federal networks.
Security experts also encourage private-sector organizations to monitor updates to the KEV catalog closely and promptly remediate any vulnerabilities affecting their systems.
CISA has established a remediation deadline of June 15, 2026, for federal agencies to address this vulnerability.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
