Oracle released an emergency Security Alert for CVE-2026-35273, a critical remote code execution flaw in PeopleSoft Enterprise PeopleTools that affects the Updates Environment Management component. The vulnerability carries a CVSS v3.1 score of 9.8 and can be exploited remotely over HTTP without authentication or user interaction, creating a path to arbitrary code execution and potential full system compromise.
Oracle said the issue affects PeopleSoft Enterprise PeopleTools 8.61 and 8.62, and warned that earlier or unsupported versions may also be vulnerable even if they were not formally tested. The company published patches and mitigation guidance, while external reporting said the bug was disclosed by TrendAI Zero Day Initiative researchers Bobby Gould, Lucas Miller, and Minh Giang. Organizations were urged to apply updates immediately, limit external exposure of affected systems, monitor for suspicious activity, and keep deployments on supported versions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
CISA added CVE-2026-35273, an Oracle PeopleSoft Enterprise PeopleTools flaw, to its Known Exploited Vulnerabilities Catalog after obtaining evidence of active exploitation. The agency said the vulnerability poses significant risk to the federal enterprise and highlighted BOD 26-04 requirements for rapid remediation and compromise assessment on affected publicly exposed assets.
Oracle credited TrendAI Zero Day Initiative researchers Bobby Gould, Lucas Miller, and Minh Giang with reporting CVE-2026-35273, a critical remote code execution flaw in PeopleSoft Enterprise PeopleTools. The references do not provide a specific date for when the report was made.
Oracle disclosed that CVE-2026-35273, a critical unauthenticated RCE in PeopleSoft PeopleTools 8.61 and 8.62, was being actively exploited and issued emergency mitigations while preparing a patch. The same reporting said ShinyHunters allegedly stole data from 300 PeopleSoft instances across more than 100 organizations.
Help Net Security reported that CVE-2026-35273 was being exploited in the wild, citing Mandiant CTO Charles Carmakal. The report also said ShinyHunters claimed breaches of Oracle PeopleSoft servers at more than 100 organizations and identified the University of Nottingham as one confirmed victim of a related cybersecurity incident.
Oracle published a Security Alert for CVE-2026-35273 and released patches and mitigation guidance for the critical unauthenticated HTTP-based RCE affecting PeopleSoft Enterprise PeopleTools 8.61 and 8.62. The alert described the flaw as impacting the Updates Environment Management component and warned that unsupported earlier versions may also be affected.
Mandiant reported that CVE-2026-35273 had been exploited as a zero-day between 2026-05-27 and 2026-06-09 and attributed the campaign to UNC6240, also known as ShinyHunters. The reporting said the campaign heavily targeted higher education organizations and that stolen data was posted to the ShinyHunters leak site on 2026-06-09.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
14 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcegithub.com
Open sourcetechrepublic.com
Open sourcerunzero.com
Open sourcehelpnetsecurity.com
Open sourcedarkwebinformer.com
Open sourcebleepingcomputer.com
Open sourceoracle.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.