Skip to content
Rush Commerce
Field Notes3 min read

PeopleSoft zero-day CVE-2026-35273: the attack came first

A CVSS 9.8 PeopleSoft flaw was exploited two weeks before Oracle's patch existed. When the exploit predates the fix, patch cadence alone won't save you.

Most patch advice assumes the fix exists before the attack. Oracle PeopleSoft CVE-2026-35273 breaks that assumption: attackers were exploiting it in the wild for two weeks before Oracle even shipped a patch. If your HR or student-records system runs PeopleSoft, this is the case study for why "we patch on schedule" is necessary but not sufficient.

What actually happened

Per Oracle's out-of-band security alert and Rapid7, CVE-2026-35273 is a CVSS 9.8 flaw in PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62), in the Updates Environment Management component. The details that matter:

  • Pre-auth remote code execution. It's remotely exploitable with no authentication — a server-side request forgery that becomes code execution. HTTP access to the box is the whole barrier to entry.
  • The exploit beat the patch. Oracle disclosed the flaw and shipped an out-of-band fix on June 10, 2026. But active exploitation was observed May 27–June 9 — roughly two weeks earlier. This was a true zero-day.
  • Who and how many. The financially-motivated group ShinyHunters (UNC6240) ran the campaign, notifying 100+ organizations — 68% of them universities and colleges — per Arctic Wolf. Post-exploitation, attackers deployed MeshCentral remote-management agents disguised as "Microsoft Azure" services to keep their foothold.

Why it matters for your business

Two things make this the wrong bug to shrug off. First, PeopleSoft is where the sensitive data lives — payroll, SSNs, student and employee identity records. Second, the exploit arrived before the patch, so the companies that "wait for the next cycle" were already breached by the time the fix existed. Patch cadence is a floor, not a ceiling.

The operator takeaways go beyond "patch fast," because fast wasn't enough here:

  • Reduce exposure. Keep HR, ERP, and identity systems off the open internet — behind a VPN or IP allowlist. A global scan can't exploit what it can't reach. Oracle's own compensating controls include disabling the Environment Management Hub and blocking external access to /PSEMHUB/*.
  • Assume you can't out-patch a zero-day; detect the aftermath. The tell here was a rogue remote-management agent masquerading as Azure. You want alerting on new admin tools and outbound connections, not just a patch log.
  • Know your inventory. You can't defend a PeopleSoft instance you forgot was internet-facing.

None of that is glamorous. All of it beats explaining why your payroll system got popped by a bug with no patch.

Key takeaways

  • CVE-2026-35273 is a CVSS 9.8 pre-auth RCE in PeopleSoft PeopleTools 8.61/8.62 — HTTP access is the only barrier
  • Attackers (ShinyHunters/UNC6240) exploited it May 27–June 9, ~two weeks before Oracle's June 10 out-of-band patch — a true zero-day
  • 100+ organizations were hit, 68% universities; attackers hid persistence as fake "Azure" remote-management agents
  • For your business: keep HR/identity systems off the public internet, detect post-exploitation tooling, and inventory what's exposed — patch cadence alone can't stop a zero-day

Is your payroll or HR system reachable from the open internet? We help small teams inventory exposed systems, move the sensitive ones out of reach, and set up alerting that catches an attacker after the patch fails. See how we harden the boring stuff or get a fast exposure check.

Sources: Oracle Security Alert, Rapid7, Arctic Wolf.

  • #security
  • #cve-2026-35273
  • #peoplesoft
  • #zero-day
  • #patch-management
TR

Tommy Rush — Founder, Rush Commerce

Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More

Get The Rush Report weekly — one email, zero fluff.