Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert

A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools is being exploited in the wild, Charles Carmakal, CTO at cybersecurity firm Mandiant, part of Google Cloud, warned today.

The warning comes a day after Oracle published an out-of-band security alert about the flaw, which is remotely exploitable without authentication, may result in remote code execution, and affects PeopleSoft PeopleTools versions 8.61 and 8.62 (and possibly earlier, unsupported ones as well).

Oracle credited researchers with TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability.

The security alert links to a “patch availability document”, but it is unclear whether a patch is currently available, as the document is accessible only to customers with a support account.

Help Net Security has reached out to Oracle for confirmation on whether CVE-2026-35273 is being actively exploited, but we’ve yet to receive a reply.

ShinyHunters targeting PeopleSoft instances

Oracle’s alert was published on the same day that Bleeping Computer reported ShinyHunters’ claims that they’ve been breaching Oracle PeopleSoft servers and have stolen data from 100+ organizations.

According to the extortion group’s claims, the targeted organizations are mostly educational institutions, and their PeopleSoft instances – whether on-premises or in the cloud – were breached “using a ‘gadget chain’ of old and zero-day vulnerabilities.”

Among the victims is apparently the University of Nottingham, which confirmed it has suffered a cybersecurity incident and that it has notified affected students and alumni directly.

ShinyHunters claimed that breach and leaked tens of gigabytes of stolen data, including personal data and academic records of nearly half a million current and former students.

A threat researcher seemingly confirmed ShinyHunters’ ongoing targeting of PeopleSoft instances, after discovering exposed directories containing tools used in these attacks.

“At the /pay_or_leak endpoint, is stolen data from 20+ organizations, many named and others from 02 Jun and 04 Jun not yet named. Inside the same bash history log is a purpose-built shell script (uon_fanout.sh) which spreads defacement markers across PeopleSoft infrastructure,” the researcher noted.

“The code shows the attackers are very familiar with PeopleSoft; extracting creds from psappsrv.cfg (app server config), mapping all connected nodes, and identifying web/app/batch tiers.”

The researcher also posted a list of IPs and domains related to the attacks, which can be used by PeopleSoft admins and defenders to check for signs of compromise.

UPDATE (June 11, 2026, 05:15 p.m. ET):

Mandiant and Google Threat Intelligence Group have confirmed that ShinyHunters (i.e., UNC6240) have been targeting Oracle PeopleSoft application infrastructure between May 27, 2026 and June 9, 2026, and the activity “is consistent” with the exploitation of CVE-2026-35273.

“The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle’s June 10, 2026 advisory, the vulnerability was exploited as a zero-day,” they said, and revealed that they notified over 100 global organizations with potentially vulnerable endpoints.

“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters [data leaks site],” the researchers shared.

They detailed the actions performed and tools used by the attackers, and provided remediation and hardening advice.

Though there’s still no mention of a patch for CVE-2026-35273, there are mitigations PeopleSoft admins can implement to minimize the risk of exploitation.

They can disable the Environment Management Hub (EMHub) Service in Multi-Server configurations, remove the PSEMHUB application in Single-Server configurations or, if they cannot disable the EMHub Service, they can block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!