⚡ Key Takeaways

A CVSS 9.8 unauthenticated RCE zero-day in Oracle PeopleSoft PeopleTools (CVE-2026-35273) was exploited by ShinyHunters for 14 days before Oracle released an out-of-band patch on June 10, 2026. Over 100 organizations — 68% of them universities — had data stolen, including 455,000+ records from the University of Nottingham alone. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 12, mandating emergency federal patching.

Bottom Line: Organizations running PeopleSoft PeopleTools 8.61 or 8.62 must apply the CVE-2026-35273 patch immediately, block the two vulnerable endpoints at the perimeter, and conduct a compromise assessment covering the May 27 – June 9 zero-day window.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
Medium
Algerian universities, government ministries, and enterprises in the oil and gas sector use ERP and HR management platforms. While Oracle PeopleSoft is less common in Algeria than SAP or domestic solutions, the broader lesson — that enterprise application-layer platforms carry critical unpatched RCE risk — applies directly to any organization running complex ERP environments. The supply chain exposure dimension is particularly relevant for Algerian enterprises with international service providers.
Infrastructure Ready?
Partial
Algerian organizations with Oracle PeopleSoft deployments can apply the patch and implement the network mitigations described. However, the wider lesson — deploying threat-hunting capabilities and behavioral detection for ERP application layers — requires SOC maturity that is still developing in most Algerian enterprises. ASSI (Agence de la Sécurité des Systèmes d’Information) can advise public-sector bodies on patch prioritization aligned with CISA KEV guidance.
Skills Available?
Partial
Oracle PeopleSoft administration skills exist in Algeria within large enterprises and government bodies, sufficient to apply patches and disable the vulnerable service. Full threat-hunting and compromise assessment for the May 27 – June 9 window requires incident response skills and forensic tooling that are available at specialized cybersecurity firms but not uniformly in-house.
Action Timeline
Immediate
Any organization running PeopleSoft PeopleTools 8.61 or 8.62 — in Algeria or globally — must apply the CVE-2026-35273 patch now. The KEV listing and public exploit knowledge mean the window for pre-exploitation hardening has effectively closed; the priority shifts to patch application and compromise assessment.
Key Stakeholders
CISOs, IT Directors, Oracle PeopleSoft Administrators, Procurement and Vendor Risk Teams, Ministry of Digitalization
Decision Type
Tactical
This article provides a specific, actionable response to a confirmed, actively exploited critical vulnerability. Organizations running PeopleSoft must act immediately; others should treat this as a case study for ERP application-layer risk governance.

Quick Take: Algerian enterprises and government bodies running Oracle PeopleSoft PeopleTools 8.61 or 8.62 must treat CVE-2026-35273 as a priority-zero incident: apply the out-of-band patch, block the two vulnerable endpoints at the perimeter, and conduct a compromise assessment covering May 27 onward. Organizations with international HR or ERP service providers should request written confirmation of patch status — the supply chain exposure documented in this campaign extends well beyond direct PeopleSoft customers.

Advertisement

Fourteen Days the Attackers Owned PeopleSoft

Oracle PeopleSoft runs payroll, HR records, financial aid, and supply-chain data for more than 15,200 enterprises worldwide, with the heaviest concentration in North American universities, healthcare systems, and government agencies. On June 10, 2026, Oracle released an emergency out-of-band security advisory for CVE-2026-35273 — a critical unauthenticated remote code execution flaw rated CVSS 9.8. What the advisory obscured, and what Mandiant’s same-day threat intelligence report confirmed, was that the window had already closed for over 100 organizations: ShinyHunters had been inside their systems since May 27.

The two-week gap between first exploitation and public disclosure is not a rounding error — it is the operational reality of sophisticated threat actors in 2026. ShinyHunters (tracked by Google Mandiant as UNC6240) did not need a published PoC or a darknet exploit kit. They found and operationalized a zero-day in one of the most data-rich enterprise platforms on the market, moved laterally through hundreds of PeopleSoft instances, and published stolen records on their data leak site on June 9 — one day before Oracle’s advisory was even drafted.

The Vulnerability: What CVE-2026-35273 Actually Does

According to Rapid7’s Emergency Threat Response analysis, CVE-2026-35273 resides in the Environment Management Hub component of Oracle PeopleSoft PeopleTools, affecting versions 8.61 and 8.62. The flaw is classified as a server-side request forgery (SSRF) that enables unauthenticated remote code execution — no credentials, no user interaction, just network access to two specific HTTP endpoints: /PSEMHUB/hub and /PSIGW/HttpListeningConnector.

The CVSS 9.8 score reflects what makes this particularly dangerous: the attack vector is network-level, the complexity is low, no privileges are required, and no user action is needed. An attacker with a line of sight to a PeopleSoft server can achieve code execution in a single HTTP request. On Windows deployments, the SSRF chain can additionally force outbound SMB connections to attacker-controlled infrastructure on TCP port 445, harvesting Windows machine-account credentials that enable further lateral movement.

SecurityWeek reported that ShinyHunters claimed to have chained CVE-2026-35273 with older, previously patched vulnerabilities to maximize the breach surface across approximately 300 PeopleSoft instances. Oracle’s own advisory characterized the situation with uncharacteristic urgency: “We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action.”

The ShinyHunters Playbook: Platform Targeting at Scale

This campaign is the third major infrastructure-targeting operation ShinyHunters has run in 18 months. The 2024 Snowflake campaign compromised hundreds of millions of records across Ticketmaster, Santander Bank, and dozens of others. A subsequent operation targeted Salesforce Experience Cloud. Now PeopleSoft. Black Kite’s threat analysis identifies the pattern: ShinyHunters picks widely deployed enterprise platforms, identifies a critical authentication bypass or RCE path, automates scanning across the global install base, and monetizes the resulting data dump through extortion and public leak pressure.

What distinguishes the PeopleSoft campaign is the breadth of sensitive data categories inside a single platform: student records, financial aid disbursements, immigration files, passport numbers, payroll data, and benefits information. SecurityAffairs noted that the University of Nottingham alone had 455,000 records exposed — names, addresses, passport numbers, and ethnicity data — in what is one of the largest single-institution education breaches of 2026. Sixty-eight percent of the more than 100 notified organizations were universities and colleges, most in the United States.

Post-exploitation behavior followed a consistent tradecraft. Attackers deployed MeshCentral remote management agents disguised as Microsoft Azure services, routing command-and-control traffic to azurenetfiles.net on port 443 — a domain designed to blend into Azure-heavy enterprise environments. Lateral movement used SSH credential spraying via victim-specific shell scripts. Data was compressed with zstd before exfiltration to an attacker-controlled server at 176.120.22.24. The entire kill chain — from initial SSRF hit to data publication — was executed inside a two-week window.

Advertisement

CISA’s Response and the Federal Patching Mandate

On June 12, 2026, CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog, triggering Binding Operational Directive 22-01, which requires all US federal civilian executive branch agencies to remediate catalogued vulnerabilities within a defined deadline. Federal agencies running PeopleSoft — and many do, for HR and financial management — were placed on an emergency patching timeline.

The KEV designation carries weight beyond the federal perimeter. Every enterprise security team that monitors CISA’s catalog knows that KEV additions signal confirmed, weaponized exploits in active use. The question is no longer “could this be exploited?” — it is “how many attackers have already automated this?”

What Enterprise Security and IT Teams Should Do Now

1. Apply the Out-of-Band Patch Immediately — Do Not Wait for a Maintenance Window

Oracle released a standalone fix for CVE-2026-35273 on June 10, 2026, outside its regular quarterly Critical Patch Update cycle. This is rare; Oracle issues out-of-band patches only when active exploitation is confirmed and the severity leaves no runway. Organizations on PeopleTools 8.61 or 8.62 must apply this patch without waiting for the next scheduled maintenance window — the exploit is public knowledge now that the KEV listing is live, and automated scanning tools will reach unpatched servers within hours of an organization’s public IP being enumerated. If patching cannot be completed immediately, disable the Environment Management Hub service (PSEM) as an interim measure. Oracle’s advisory confirms this degrades but does not break core HCM functionality.

2. Block the Two Vulnerable Endpoints at the Network Perimeter

Even patched systems benefit from defense-in-depth. Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the web application firewall or load balancer. In the ShinyHunters campaign, Rapid7’s ETR report confirmed that all initial exploitation flowed through these two endpoint paths. Neither endpoint should be internet-accessible in a hardened PeopleSoft deployment; if they are, that misconfiguration is the root cause that made the zero-day exploitable at scale. Additionally, monitor for outbound SMB connections from PeopleSoft servers to external hosts on TCP port 445 — this is the credential-harvest side channel Mandiant documented and a behavioral indicator of active compromise even if exploitation occurred before the patch was applied.

3. Conduct a Compromise Assessment Before Declaring the System Clean

Patching stops new exploitation; it does not evict attackers already inside. Given that the zero-day was active from May 27 to June 9, any organization running internet-accessible PeopleSoft 8.61 or 8.62 during that window must assume they were targeted and conduct a threat hunt before resuming normal operations. Specific indicators of compromise: processes spawning MeshCentral agents with C2 pointing to azurenetfiles.net, victim-named shell scripts (e.g., [org_abbreviation]_fanout.sh) in temp directories, zstd-compressed archives staged for exfiltration, and WebLogic configuration files accessed outside maintenance schedules. Treat the Environment Management Hub service logs from May 27 onward as the primary forensic artifact; if those logs were not retained, that is itself a finding requiring immediate remediation of the logging posture.

4. Audit Third-Party Vendors and Service Providers Running PeopleSoft

One of the most dangerous aspects of this campaign is the supply chain dimension. Many large enterprises outsource HR processing, financial aid administration, or payroll to service bureaus that run PeopleSoft on behalf of multiple clients. A single compromised vendor instance can expose employee data from dozens of organizations that have no direct PeopleSoft deployment of their own. Black Kite’s analysis identifies three tiers of exposure: direct PeopleSoft customers, service providers using PeopleSoft for client data, and nth-party exposures flowing through vendors’ vendors. Immediately request written confirmation from all payroll, HR, and ERP service providers that they have applied the CVE-2026-35273 patch and conducted a compromise assessment for the May 27 – June 9 window.

The Bigger Picture: ERP Platforms Are the New Ransomware Target

This incident marks a notable inflection in enterprise threat targeting. For most of the 2020s, ransomware operators focused on Windows endpoints and file servers — targets that are well understood, widely patched, and increasingly protected by EDR. The ShinyHunters campaigns of 2024-2026 signal a deliberate pivot toward the application layer of enterprise infrastructure: the SaaS platforms, ERP systems, and cloud data warehouses where the highest-value data actually lives.

PeopleSoft, Salesforce Experience Cloud, and Snowflake share a common characteristic: they are trusted systems that sit outside the traditional endpoint security perimeter, receive less scrutiny from threat-hunting teams, and hold data categories — payroll, HR records, student financial aid, customer PII — that command premium prices on criminal markets. When ShinyHunters pivoted from Snowflake to Salesforce to PeopleSoft, they were not reacting opportunistically; they were executing a systematic campaign against the enterprise data layer.

For security leaders, the lesson is architectural: your threat model must extend to every application that holds sensitive data, not just the endpoints that connect to them. A CVSS 9.8 RCE that sits unpatched for 14 days because it is classified as an “application” vulnerability rather than a “system” vulnerability is a governance failure as much as a technical one. CISA’s KEV catalog exists precisely to collapse that distinction — when a flaw appears there, it is an all-hands emergency regardless of which product category owns the ticket.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What is CVE-2026-35273 and why is it rated CVSS 9.8?

CVE-2026-35273 is an unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62, specifically in the Environment Management Hub component. It receives a CVSS score of 9.8 — the maximum practical rating — because it requires no authentication, no user interaction, and no special privileges: any attacker with network access to the PeopleSoft server can trigger arbitrary code execution via a single HTTP request. The attack is fully remote and exploitable over standard web traffic, making it accessible to automated scanning tools.

How long were organizations exposed before Oracle released a patch?

ShinyHunters began exploiting CVE-2026-35273 as a zero-day on approximately May 27, 2026. Oracle published its out-of-band security advisory and released mitigations on June 10, 2026 — a gap of approximately 14 days during which there was no vendor-supplied fix and no public knowledge of the vulnerability. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 12, 2026. Organizations running vulnerable PeopleSoft versions between May 27 and June 9 should assume they were targeted and conduct a full compromise assessment.

Why did universities account for 68% of the victims in this campaign?

Higher education institutions are disproportionately targeted in PeopleSoft campaigns for several compounding reasons. Universities often run PeopleSoft for student records, financial aid disbursements, HR, and payroll — making them repositories of multiple high-value data categories in a single platform. They also tend to have larger internet-accessible PeopleSoft footprints (student self-service portals, financial aid applications) and, in many cases, less mature patch management cadences than regulated financial or healthcare organizations. The University of Nottingham breach, which exposed 455,000+ records including passport numbers and ethnicity data, illustrates the severity of data categories at risk in a single institution.

Sources & Further Reading