Oracle PeopleSoft PeopleTools Zero-day Vulnerability

Published on 12-Jun-2026
Updated:
12-Jun-2026
Status:
 
Active
CVEs:
CVE-2026-35273

Oracle has identified a critical zero-day vulnerability in PeopleSoft PeopleTools, tracked as CVE-2026-35273, with a CVSS base score of 9.8. This vulnerability allows unauthenticated remote code execution and is actively exploited by the ShinyHunters group in data theft attacks. 

CVERiskScore
CVE-2026-35273CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8, Critical

Exploitation of this vulnerability can lead to unauthorized access and data theft from affected Oracle PeopleSoft instances, posing a significant risk to organizations that use these systems.

  • The ShinyHunters group has been actively exploiting this vulnerability to breach Oracle PeopleSoft instances.
  • Data has been stolen from over 300 instances across 100 organizations.
  • Charles Carmakal from Mandiant confirmed the active exploitation and Oracle's release of mitigations.

Who is affected?

CVE-2026-35273 impacts Oracle PeopleSoft PeopleTools versions 8.61 and 8.62.

What can I do?

Customers should apply emergency mitigations immediately. Additionally, monitor the Security Alert program for the official patch release.

Recommendations include:

  • Disable the Environment Management Hub (EMHub) Service or remove the PSEMHUB application as per Oracle guidance.
  • Block external access to `/PSEMHUB/*` and `/PSIGW/HttpListeningConnector` at the network perimeter.
  • Monitor outbound SMB traffic from PeopleSoft servers to untrusted destinations.
  • Check WebLogic access logs for POST requests to `/PSEMHUB/hub` and `/PSIGW/HttpListeningConnector` from external IPs.
  • Review directories under `/PSEMHUB.war/envmetadata/transactions/` for unexpected directories.
  • Refer to the Oracle support portal for detailed mitigations.
  • Review and enhance security measures to prevent unauthorized access and data theft.
  • Monitor for any signs of exploitation and respond promptly to any detected incidents.

Analyze logs for connections from the following IP addresses to identify potential breaches:

  • 142[.]11[.]200[.]186
  • 142[.]11[.]200[.]187
  • 142[.]11[.]200[.]188
  • 142[.]11[.]200[.]189
  • 142[.]11[.]200[.]190
  • 108[.]174[.]202[.]99
  • 176[.]120[.]22[.]24

Other IoCs include the presence of these defacement marker files:

  • README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
  • [victim_abbreviation]_fanout.sh

Additional information from the vendor and official sources can be found at:

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

 

Recent Emerging Threats
:
Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
:
Critical vulnerability affecting Cisco Catalyst SD-WAN
:
React Server Component Remote Code Execution Vulnerability
:
FortiWeb UI Path Traversal Vulnerability
:
Oracle Concurrent Processing
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.