Oracle PeopleSoft zero-day CVE-2026-35273 hits 100+ orgs

Oracle published an out-of-band Security Alert for CVE-2026-35273 on June 10, 2026. The flaw is an unauthenticated remote code execution bug in the PeopleSoft Enterprise PeopleTools Environment Management component, scored CVSS 9.8 (NVD entry). According to Google Mandiant's writeup, the bug had been exploited as a zero-day between May 27 and June 9, 2026 by the cluster Mandiant tracks as UNC6240, which overlaps with the public ShinyHunters extortion brand. The campaign hit more than 100 organisations, with 68% in US higher education.

What's affected

Oracle's alert names PeopleSoft Enterprise PeopleTools 8.61 and 8.62. Earlier versions are unsupported and will not receive a patch, though Oracle notes they are likely vulnerable. The exposed surface is the Environment Management Hub (EMHub), reachable via the PeopleSoft Internet Architecture (PIA) at POST /PSEMHUB/hub and POST /PSIGW/HttpListeningConnector. Mandiant's evidence is concentrated on internet-facing PIA fronts, but the same paths are reachable from any host that can dial the WebLogic listener — assume an attacker on the internal network has the same primitive.

Oracle's June 10 alert publishes mitigations; the patch itself sits behind the My Oracle Support portal under the alert's Patch Availability Document. Treat mitigations as the default control until the patch is staged.

Exploitation status

Mandiant attributes the cluster to UNC6240 and notes overlap with the ShinyHunters data-leak brand based on infrastructure and DLS publication patterns — the writeup stops short of equating the two. Timeline reproduced from Google Cloud's post:

• May 27, 2026 — 22:14 UTC. First observed install of MeshCentral v1.1.59 for persistence on a compromised PeopleSoft host.
• May 27 — 22:25 UTC. acme-client installed for automated SSL on attacker infrastructure.
• May 29. Authenticode signing tools verified on staging.
• June 9. Open attacker directories discovered; victim data starts hitting the ShinyHunters DLS.
• June 10. Oracle ships the out-of-band Security Alert.

The University of Nottingham confirmed compromise via a PeopleSoft system, and Have I Been Pwned has indexed roughly 455,000 unique email addresses from the published archive — covering names, postal addresses, phone numbers, passport numbers, and ethnicity/disability flags for current and former students. Other named victims in the published set skew US higher education.

Indicators of compromise

The full IOC set ships in Mandiant's writeup. Reproduced verbatim:

# Network IOCs (Mandiant, 2026-06-10)
142.11.200.186
142.11.200.187
142.11.200.188
142.11.200.189
142.11.200.190
azurenetfiles.net          # C2 typosquat for Azure NetApp Files
176.120.22.24              # ShinyHunters DLS mirror

# SHA-256 file hashes
2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35  .bash_history
f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc  meshagent64-azure-ops.exe
d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f  meshagent64-v2.exe
c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f  meshagent32-azure-ops.exe
68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309  meshagent              # Linux

# On-disk markers
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT     # defacement
<victim_abbreviation>_fanout.sh                  # lateral-movement script

Action checklist

1. Kill the EMHub surface today. In Multi-Server installs, disable the Environment Management Hub service; in Single-Server installs, remove the PSEMHUB application. If you cannot do either within the day, drop /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter. Oracle ships these as the front-line mitigations alongside the patch.
2. Hunt back to May 27, 2026. Search PIA / WebLogic access logs for POST /PSEMHUB/hub and POST /PSIGW/HttpListeningConnector from external sources, plus SSRF artefacts (loopback addresses like 127.0.0.1 or ::1 in request headers). Hits before the mitigation date should be treated as compromise, not as scanner noise.
3. Filesystem sweep. Look for unexpected .jsp files under <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/, anomalous content in .../PSEMHUB.war/envmetadata/transactions/, and recently modified .xml files under <docroot>/envmetadata/data/environment/. Mandiant flags *.tar.zst archives as the compression artefact of the exfil tooling.
4. Push the IOCs to EDR and DNS. The five 142.11.200.18x addresses and azurenetfiles.net are the highest-signal indicators. The meshagent*-azure-ops.exe binaries are MeshCentral builds repackaged with attacker config — block by hash, then walk back any host that touched them.
5. If you operate at higher-ed scale, treat as breach until proven otherwise. Mandiant's 68%-higher-ed concentration is unusual; if your PeopleSoft cluster fronts student records and was internet-reachable any day between May 27 and June 9, the prior-breach probability is high enough to warrant a CISO-level decision on student notification timelines under FERPA, GDPR, or your local equivalent.

Context

This is the second Oracle out-of-band alert in two weeks — the Oracle WebLogic CVE-2024-21182 KEV add put the same WebLogic application server stack on the federal patch-now list days ago. PeopleSoft rides on WebLogic by default, so a non-trivial share of organisations are now reading two Oracle alerts against the same host fleet — and any team that patched WebLogic without disabling EMHub is still exposed here.

The ShinyHunters brand is also pulling on a familiar thread. Their previous public action of comparable scale was the Canvas / Instructure 275M-record claim earlier this quarter — also education-sector, also a vendor identity platform. Whether UNC6240 is the original operator or a buyer reselling under the brand, the sector concentration is no longer coincidence: it is now the working hypothesis for education CISOs reviewing third-party SaaS surface.