Summary
A critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools, tracked as CVE-2026-35273, is under active exploitation by the ShinyHunters extortion group in a widespread data theft campaign targeting PeopleSoft instances globally.
The underlying vulnerability, disclosed by Oracle in an out-of-band security alert on June 10, 2026, resides in the Updates Environment Management component and carries a CVSS 3.1 score of 9.8 (Critical). It requires no authentication, no user interaction, and has low attack complexity, allowing a remote threat actor to execute arbitrary code over HTTP.
ShinyHunters claims to have already compromised 300 instances across more than 100 organizations, with the education sector disproportionately impacted. The threat actors are reportedly leveraging a “gadget chain” combining older vulnerabilities with zero-day exploits, with CVE-2026-35273 assessed as a key component.
Cybersecurity researcher Michael R identified exposed ShinyHunters infrastructure containing staging materials purpose-built for PeopleSoft environments, including MeshCentral remote access agents, credential spray scripts, and defacement tooling. The threat actors demonstrated deep familiarity with PeopleSoft architecture, extracting credentials from psappsrv.cfg application server configuration files, mapping connected nodes, and identifying web, application, and batch tiers. Ransom notes named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT have been observed on compromised systems.
Given the confirmed active exploitation, the scale of the ShinyHunters campaign, the unauthenticated attack vector, and the sensitive nature of the data PeopleSoft typically manages (HR, payroll, financial, and student records), this vulnerability represents an immediate risk to any organization running an exposed, vulnerable instance.
Recommendations
Apply the Out-of-Band Security Patch Released by Oracle
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version by consulting the Oracle Patch Availability Document referenced in the Oracle Security Alert.
| Product | Affected Versions | Fixed Version |
| Oracle PeopleSoft PeopleTools | 8.61 and 8.62 | See Oracle Patch Documentation |
Note: Oracle’s patch availability document is accessible only to customers with a valid Oracle Support account. Older, unsupported versions of PeopleSoft PeopleTools are also likely affected.
Temporary Workarounds
Note: These measures are temporary and only reduce, not eliminate, risk; apply the vendor patch as soon as possible to fully remediate.
- If operations allow, temporarily block all inbound HTTP(S) access to PeopleSoft PIA (PeopleSoft Internet Architecture) and app servers using firewalls, restricting access to trusted internal hosts/networks only.
- Use web server configuration or WAF rules to limit or disable access to the Updates Environment Management module.
- Where possible, implement additional authentication (e.g., basic auth, IP whitelisting) at the web server or reverse proxy layer for access to PeopleSoft interfaces.
- Increase logging, alerting, and audit scrutiny on all PeopleSoft endpoints for unexpected access patterns or failed login attempts.
Configuration and Prevention
- Restrict network access to PeopleSoft application and web servers to trusted internal networks only.
- Harden all PeopleSoft web and application servers per Oracle’s security guidelines (implement SSL/TLS, least privilege access, network segmentation, and audit monitoring).
- Review and apply strict fine-grained security controls at user, role, and field levels; enforce MFA for all privileged access; routinely audit all system privileges and logs.
References
- Oracle Security Alert Advisory – CVE-2026-35273
- Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks – BleepingComputer
- Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert – Help Net Security
- Michael R (@nahamike01) – ShinyHunters PeopleSoft targeting thread
