CVE-2026-35273: Oracle PeopleSoft Zero-Day Exploited in the Wild

SOC Prime Team

CVE-2026-35273: Oracle PeopleSoft Zero-Day Exploited in the Wild

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A critical zero-day flaw in Oracle PeopleSoft’s Updates Environment Management component is under active exploitation for remote code execution. The issue is categorized as a Server-Side Request Forgery vulnerability and can be abused by unauthenticated attackers to compromise exposed systems. The activity has been linked to the financially motivated threat group ShinyHunters.

Investigation

Mandiant observed active exploitation from May 27 through June 9, 2026, before Oracle released its security advisory. Their investigation showed that attackers were targeting PSEMHUB endpoints to gain remote code execution and deploying MeshCentral agents to maintain persistent remote access. The higher education sector was a major focus of the campaign, and researchers noted substantial data theft during intrusions.

Mitigation

Organizations should urgently apply Oracle’s out-of-band patch for PeopleTools versions 8.61 and 8.62. Additional defensive steps include disabling the Environment Management Hub service and blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector. Monitoring for outbound SMB traffic over port 445 to untrusted destinations is also recommended as a compensating control.

Response

If exploitation is suspected, organizations should investigate for compromise even after patching. Priority checks should include unexpected .jsp files, unauthorized directories within PSEMHUB paths, and outbound SMB connections to external IP addresses. Security teams should also look for MeshCentral agent masquerading and review environment metadata directories for unauthorized XML file changes.

"graph TB %% Class Definitions Section classDef exploit fill:#ff9999 %% Red for exploitation and initial access classDef credential fill:#ffff99 %% Yellow for credential access classDef persistence fill:#99ff99 %% Green for persistence classDef recon fill:#99ccff %% Blue for reconnaissance and collection classDef exfil fill:#cc99ff %% Purple for exfiltration and data movement %% Node Definitions exploit_ssrf["Action – T1210 Exploit Remote Services Description: Exploitation of a critical zero-day SSRF vulnerability in Oracle PeopleSoft Updates Environment Management. CVE: CVE-2026-35273 Result: Remote Code Execution"] class exploit_ssrf exploit action_smb_capture["Action – T1212 SMB/Windows Admin Shares Description: Making outbound SMB connections to external destinations to capture Windows machine-account NetNTLM hashes. Goal: Credential Access"] class action_smb_capture credential tool_meshcentral["Tool – T1219 Remote Access Software Name: MeshCentral Description: Deployment of remote management agents to maintain a foothold in the environment."] class tool_meshcentral persistence action_masquerade["Action – T1651 Masquerading Description: MeshCentral agents masquerading as legitimate Microsoft Azure services to evade detection."] class action_masquerade persistence action_valid_accounts["Action – T1078 Valid Accounts Description: Utilization of valid accounts for continued access and stability."] class action_valid_accounts persistence action_recon["Action – Internal Reconnaissance Description: Performing internal scanning and gathering data from various databases."] class action_recon recon action_db_gather["Action – T1213.006 Data from Information Repositories: Databases Description: Specific gathering of data from internal database systems."] class action_db_gather recon action_compress["Action – T1560.003 Data Staged: Compress Files Description: Stolen data compressed using zstd to facilitate the collection and exfiltration process."] class action_compress exfil action_exfil["Action – T1560 Data Staged Description: Collection and staging of compressed data prior to exfiltration."] class action_exfil exfil %% Connections exploit_ssrf –>|leads_to| action_smb_capture action_smb_capture –>|enables| tool_meshcentral tool_meshcentral –>|utilizes| action_masquerade action_masquerade –>|supported_by| action_valid_accounts action_valid_accounts –>|permits| action_recon action_recon –>|leads_to| action_db_gather action_db_gather –>|results_in| action_compress action_compress –>|prepares| action_exfil "

Attack Flow

Attack Narrative & Commands: The adversary is conducting an automated scan to identify vulnerable Oracle PeopleSoft instances. Their goal is to identify targets susceptible to CVE-2026-35273. They will send specifically crafted HTTP GET requests to the identified sensitive URI paths. If the server responds with a 200 OK or 500 Error (instead of a 404), the adversary confirms the presence of the application and proceeds with the exploit payload.

Regression Test Script:

#!/bin/bash
# Simulation script for CVE-2026-35273 URI detection validation

TARGET="http://<TARGET_IP>"
ENDPOINTS=("/PSEMHUB/hub" "/PSIGW/HttpListeningConnector")

echo "[+] Starting simulation of CVE-2026-35273 URI access..."

for uri in "${ENDPOINTS[@]}"
do
    echo "[*] Sending request to: $uri"
    # We use -v to see the headers, though the SIEM only needs the log entry
    curl -s -v "$TARGET$uri" -o /dev/null
    echo "[+] Request sent."
done

echo "[+] Simulation complete. Check SIEM for alerts matching the URIs."

Cleanup Commands:

# No persistent changes are made by this simulation; 
# however, clear web server access logs if testing in a destructive environment.
# For Linux:
# sudo truncate -s 0 /var/log/apache2/access.log

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free