Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)

OverviewOn June 10, 2026, Oracle published a security alert for CVE-2026-35273, a critical vulnerability in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. Oracle released an out-of-band patch the same day as the advisory, underscoring the urgency of remediation. The vulnerability has a CVSSv3.1 score of 9.8 and is remotely exploitable without authentication. Per the vendor advisory, successful exploitation may result in remote code execution (RCE). TrendAI has classified the underlying flaw as a server-side request forgery (CWE-918). PeopleTools versions 8.61 and 8.62 are affected.CVE-2026-35273 was reported to Oracle through TrendAI's Zero Day Initiative. According to a report published by Mandiant on June 11, 2026, this vulnerability has been exploited in the wild as a zero-day prior to the vendor security alert, with active exploitation observed between May 27 and June 9, 2026, predating Oracle's advisory by two weeks.Mandiant has attributed the campaign to UNC6240 (ShinyHunters), a financially motivated cybercriminal collective known for data theft and extortion. ShinyHunters has been linked to breaches across cloud services, SaaS platforms, and telecommunications providers, frequently exploiting weak authentication controls, stolen credentials, and cloud misconfigurations rather than deploying sophisticated malware.Based on information published by Mandiant, the campaign heavily targeted the higher education sector; 68 percent of the more than 100 notified organizations were universities and colleges. The observed exploitation targeted PeopleSoft's Environment Management Hub (PSEMHUB) endpoints, and data stolen during the campaign was published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.The /PSIGW/HttpListeningConnector URI path appears in both the indicators of compromise for this campaign and in a PeopleSoft exploit chain for CVE-2013-3821, detailed by Lexfo in 2017. A related XML External Entity (XXE) vulnerability, CVE-2017-3548, targeted a different Integration Gateway connector (PeopleSoftServiceListeningConnector) under the same /PSIGW/ path.Technical overviewTrendAI's detection signatures for CVE-2026-35273 classify the underlying vulnerability as an SSRF. These include IPS Rule 1012580 ("Oracle Peoplesoft PeopleTools SSRF Vulnerability") and DDI Rule 5855 ("Peoplesoft PeopleTools Environment Management Hub (PSEMHUB) SSRF Exploit"). Mandiant describes CVE-2026-35273 as a critical remote code execution vulnerability, indicating that the SSRF serves as the mechanism through which code execution is achieved. Based on Mandiant's analysis, two endpoints are involved in exploitation: /PSEMHUB/hub and /PSIGW/HttpListeningConnector. The exploit chain may also cause the target system to make outbound SMB connections (TCP port 445) to external destinations, potentially allowing attackers to capture Windows machine-account NetNTLM hashes.Post-exploitation activity observed by Mandiant included the deployment of MeshCentral (an open-source, and self-hosted web-based remote monitoring and management platform) remote management agents configured to masquerade as Microsoft Azure services (e.g., meshagent64-azure-ops.exe), with C2 communications directed to wss://azurenetfiles[.]net:443/agent.ashx. The attackers performed internal reconnaissance of PeopleSoft configurations, deployed lateral movement scripts, and exfiltrated data using zstd compression.Mitigation guidanceOrganizations running PeopleTools versions 8.61 or 8.62 should apply the vendor-supplied patch on an emergency basis, without waiting for a regular patch cycle to occur. Oracle has characterized this as a high-priority risk reduction measure.In addition to patching, organizations should implement the following compensating controls:Disable the Environment Management Hub (EMHub) Service in multi-server configurations, or completely remove the PSEMHUB application in single-server configurations.Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Per Mandiant, restricting these endpoints is considered non-breaking for standard end-user PeopleSoft Internet Architecture (PIA) browser sessions.Monitor outbound SMB traffic (TCP port 445) from PeopleSoft servers to untrusted external destinations.Given that exploitation occurred as early as May 27, 2026, Rapid7 strongly recommends investigating for signs of compromise even after patching, using the indicators of compromise outlined below.For the latest mitigation guidance, please refer to the Oracle security alert and Mandiant's report.Rapid7 customersExposure Command, InsightVM, and NexposeExposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-35273 with authenticated vulnerability checks available in the 12th June 2026 content release.Intelligence HubCustomers leveraging Rapid7's Intelligence Hub can track the latest developments surrounding CVE-2026-35273, including indicators of compromise (IOCs) from the Mandiant report published on June 11, 2026.Indicators of compromiseThe following indicators of compromise are sourced from Mandiant's report. Mandiant has also published a GTI collection with additional IOCs for registered users.Network indicatorsStaging and C2 infrastructure:142.11.200[.]186142.11.200[.]187142.11.200[.]188142.11.200[.]189142.11.200[.]190azurenetfiles[.]net (C2 domain masquerading as Microsoft Azure)176.120.22[.]24 (ShinyHunters DLS mirror)File indicatorsFilenameDescriptionSHA-256meshagent64-azure-ops.exePre-configured Windows MeshCentral agentf02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fcmeshagent64-v2.exePre-configured Windows MeshCentral agentd83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2fmeshagent32-azure-ops.exePre-configured Windows MeshCentral agent (32-bit)c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711fmeshagentUnconfigured Linux MeshCentral agent68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309.bash_historyAttacker command history2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35Host-based indicatorsUnexpected .jsp files under <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/Unauthorized files or directories under .../PSEMHUB.war/envmetadata/transactions/Unexpected directories named logs, persistantstorage, or scratchpad under PSEMHUB pathsRecently created or modified .xml files under <docroot>/envmetadata/data/environment/ (potential XMLDecoder persistence)Defacement and extortion marker file: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTLog-based indicatorsHTTP POST requests to the following endpoints from external source IPs:/PSEMHUB/hub/PSIGW/HttpListeningConnectorRequests to /PSIGW/HttpListeningConnector containing loopback addresses (127.0.0.1, localhost, ::1) or internal IP ranges within request headers or parameters may indicate SSRF exploitation.UpdatesJune 12, 2026: Initial publication.Article TagsEmergent Threat ResponseJonah BurgessAuthor PostsRelated blog postsVulnerabilities and ExploitsCVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti SentryRapid7Vulnerabilities and ExploitsCritical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)Rapid7Vulnerabilities and ExploitsRapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)Rapid7Vulnerabilities and ExploitsCVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OSRapid7See all posts