- June 11, 2026
Critical Vulnerability in Oracle PeopleSoft Enterprise PeopleTools Under Active Exploitation (CVE-2026-35273)
On June 10th Oracle released a security advisory impacting the Environment Management component within Oracle’s PeopleSoft application. The vulnerability, now publicly tracked as CVE-2026-35273, has been reportedly actively exploited as early as May 27th 2026.
Executive Summary
On June 10th Oracle released a security advisory impacting the Environment Management component within Oracle’s PeopleSoft application. The vulnerability, now publicly tracked as CVE-2026-35273, has been reportedly actively exploited as early as May 27th 2026.
Threat actors associated with Shiny Hunters have reportedly leveraged this vulnerability in a campaign targeting over 100 organizations worldwide. The vulnerability is remotely exploitable without authentication with potential to achieve remote code execution on exposed Oracle PeopleSoft instances.
Oracle released security updates to address the vulnerability on June 10th, but provided limited technical details at the time of disclosure. No public proof-of-concept exploit code has been released at the time of this writing.
Given the sensitive business and personnel data commonly stored within PeopleSoft environments and reports of active exploitation by a prolific threat actor, Beazley Security strongly recommends affected organizations apply available fixes immediately and conduct a thorough review for any signs of compromise.
Affected Systems or Products
Product | Affected Versions |
PeopleSoft Enterprise PeopleTools | 8.61, 8.62 |
Mitigations / Workarounds
No official mitigations or workarounds aside from the software updates were publicly provided by Oracle at the time of disclosure. However, GTIC published a detailed report on the attacker infrastructure used by ShinyHunters for their campaign leveraging this CVE, and helpfully included the following hardening recommendations:
Disable the Environment Management Hub (EMHub) Service in Multi-Server configurations or completely remove the PSEMHUB application in Single-Server configurations, as advised by Oracle's security alert guidance.
If you cannot disable the EMHub Service, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level.
Patches
Official security fixes were made available by Oracle here. Users must have an account to access the patches and documentation.
Indicators of Compromise
Active exploitation of this vulnerability has been confirmed in the wild. Mandiant and Google Threat intelligence Group (GTIG) identified an active campaign attributed to ShinyHunters with activity predating Oracle’s June 10th advisory and released the following indicators of compromise:
IP Address | Role |
142.11.200.186 | Staging / C2 |
142.11.200.187 | Staging / C2 |
142.11.200.188 | Staging / C2 |
142.11.200.189 | Staging / C2 |
142.11.200.190 | Staging / C2 |
azurenetfiles.net | C2 Domain |
176.120.22.24 | ShinyHunters DLS Mirror |
Payloads & Files:
File Name | Description | SHA-256 |
.bash_history | Attacker command history | 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 |
meshagent64-azure-ops.exe | Pre-configured Windows agent | f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc |
meshagent64-v2.exe | Pre-configured Windows agent | d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f |
meshagent32-azure-ops.exe | Pre-configured Windows agent | c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f |
meshagent | Unconfigured Linux agent | 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309 |
Dropped Filenames:
File Name |
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT |
[victim_abbreviation]_fanout.sh |
Technical Details
As previously noted, Oracle has not released technical details regarding this vulnerability, and no public proof-of-concept exploits are currently available. However, a threat report published by GITC includes indicators associated with the exploitation of CVE-2026-35273.
According to the report, observed activity targeted PeopleSoft Environment Management Hub (PSEMHUB) components through malicious HTTP POST requests directedat the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints.
GITC also observed post exploitation activity resulting in suspicious .jsp files within /webserv/applications/peoplesoft/PSEMHUB.war/, and unexpectedfiles or directories within the /PSEMHUB.war/envmetadata/transactions/, logs, persistantstorage, or scratchpad in PSEMHUB paths.
The combination of suspicious HTTP POST traffic followed by the presence of unexpected files suggests the vulnerability may enable unauthenticated file uploads, arbitrary file write, up to remote command execution capabilities. At the time of writing, the exact root cause and exploitation mechanism remain unconfirmed.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.