Exploiting CVE-2026-35273: Insights for PeopleSoft Administrators

|

|

, , , , , ,

What Actually Happened

The ShinyHunters group has exploited a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) to breach multiple university systems. This remote code execution vulnerability, rated 9.8/10, allows attackers to take control without needing a login or user interaction, provided they have network access over HTTP. Oracle released an advisory on June 10, 2026, following the exploitation of this unpatched flaw from May 27 to June 9.

The Implementation Reality

For organizations operating Oracle PeopleSoft, particularly those with externally accessible Environment Management Hubs (PSEMHUB), there is an immediate risk. This vulnerability resides in the Updates Environment Management component and primarily affects PeopleTools versions 8.61 and 8.62, with earlier versions likely impacted. If your PeopleSoft instance is exposed, the breach could lead to unauthorized access and data theft, as evidenced by the compromise of institutions like the University of Nottingham.

The exploitation method utilized by ShinyHunters involved deploying a lateral movement script and potentially leaving command-and-control servers exposed. Administrators should be vigilant for signs of compromise, such as unexpected outbound traffic or anomalous files within the PeopleSoft directories. The risk is compounded for organizations in higher education, where sensitive student data is held, and the current operational environment is often under-resourced for immediate incident response.

What to Do About It

  • Immediately disable the Environment Management Hub service on multi-server setups or remove the PSEMHUB application on single-server setups to prevent exploitation.
  • Block external access to sensitive endpoints (/PSEMHUB/* and /PSIGW/HttpListeningConnector) at your perimeter firewall.
  • Conduct a thorough review of WebLogic access logs for any POST requests to the vulnerable endpoints and monitor for unusual .jsp files or unexpected changes in XML files.
  • Check for outbound SMB traffic on port 445 from PeopleSoft hosts, as this may indicate attempts to capture machine-account hashes.
  • Once confirmed, apply the update for your PeopleTools version from My Oracle Support, ensuring that you have the latest security patches applied.

Source: The Hacker News

At q52, we specialize in AI-augmented security operations and SIEM implementation. Let us help you operationalize threat detection with LLM enrichment — faster triage, fewer false positives, and security intelligence your team can actually act on. Learn about Noogenesis, our AI-powered SIEM platform and connect with us on LinkedIn.

Discover more from q52.ai

Subscribe to get the latest posts sent to your email.

Tell us about your use case!

Contact Us

About us

q52 is an AI strategy firm built for organizations that need reliability, not theatrics. We focus on the hard parts of AI—training data, intelligence management, systems integration, governance, and security—because those foundations determine whether anything works in production. Our approach starts with understanding how your people think, decide, and operate, then designing AI systems that fit those realities. We cut through noise, identify what’s actually required, and build frameworks your teams can trust and sustain.

Navigate

Wonder – A WordPress Block theme by YITH

Discover more from q52.ai

Subscribe now to keep reading and get access to the full archive.

Continue reading