CVE-2026-35273: the PeopleSoft zero-day ShinyHunters used to extort universities
A pre-auth deserialization chain in the Environment Management Hub — exploited before the patch, now on CISA KEV
CVE-2026-35273 is a critical (CVSS 9.8), unauthenticated remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 — specifically the Environment Management Hub (PSEMHUB), part of the Updates Environment Management component. PeopleSoft runs HR, payroll, student records and financials for universities, governments and large enterprises, so a pre-auth takeover of its web tier is about as bad as it gets. And this one wasn't theoretical: attackers were inside real environments before Oracle shipped a fix.
What CVE-2026-35273 actually is
It's a chain, which is why different write-ups label it differently. First, a crafted request through the PSIGW Integration Gateway (/PSIGW/HttpListeningConnector) acts as an SSRF / access-control bypass, letting an unauthenticated attacker reach a hub function that should never be exposed. Then, at POST /PSEMHUB/hub, unsafe Java deserialization of untrusted data executes code inside the WebLogic JVM — as the PeopleSoft service account.
So the CWE labels all describe one bug: CWE-306 (missing authentication for a critical function, per NVD), CWE-918 (the SSRF network primitive, per Trend Micro/ZDI), and CWE-502 (the deserialization RCE sink). The public exposure check — ProjectDiscovery's official Nuclei template, which sends a native ysoserial gadget and matches the Java-serialization response marker rO0ABX — indicates the reachable pre-auth sink is native Java serialization (ObjectInputStream).
The exploitation chain
From a single unauthenticated request to full data-theft extortion. Each stage has a cheap chokepoint: the most effective prevention is simply not exposing PSEMHUB/PSIGW, and the most important detection is hunting persistence before you restart or declare clean.
CVE-2026-35273 exploitation chain — PSIGW SSRF to PSEMHUB deserialization to extortion
- Reachable PeopleTools 8.61/8.62 — PSEMHUB reachable from an untrusted network. Even installs patched before 2026-06-10 were vulnerable.
- SSRF via /PSIGW/HttpListeningConnector — Integration Gateway abused as an access-control bypass (loopback/internal targets) to reach the unauth hub.
- POST /PSEMHUB/hub (Java gadget) — Unauthenticated POST carrying a serialized Java gadget in OPERATION=. Response reflects the marker rO0ABX.
- Java deserialization RCE in the JVM — Code runs as the PeopleSoft service account. A separate XMLDecoder .xml under envmetadata/ re-fires on restart.
- Webshell + MeshCentral RMM — JSP webshells under PSEMHUB.war and MeshCentral agents masquerading as Azure (azurenetfiles[.]net). Patching does not evict this.
- SSH spray + NetNTLM theft — [victim]_fanout.sh sprays SSH creds; SSRF coerces outbound SMB/445 for machine-account NetNTLM hashes.
- Bulk exfiltration (zstd) — HR / student / finance data archived with zstd and staged to attacker infrastructure.
- Pay-or-leak on the Data Leak Site — Data posted to the ShinyHunters DLS. Confirmed victims: University of Nottingham (~455k), NAIC (~3.1 TB).
- Prevent: don't expose PSEMHUB/PSIGW — Deny /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter, or disable EMHub. Non-breaking for end-user sessions.
- Detect: hunt persistence before restart — Hunt envmetadata/ .xml, PSEMHUB.war .jsp, MeshCentral agents and azurenetfiles[.]net before declaring clean.
Am I affected?
Oracle lists PeopleTools 8.61 and 8.62 as affected, and notes earlier unsupported releases are untested but likely affected. Critically, installs fully patched before the June 10 alert were still vulnerable — prior CPU levels didn't close this. The precondition is simply that PSEMHUB/PSIGW is network-reachable; no credentials are required.
| Dimension | Detail |
|---|---|
| Product | Oracle PeopleSoft Enterprise PeopleTools — Environment Management Hub (PSEMHUB) |
| Affected versions | 8.61 and 8.62 (earlier unsupported releases untested but likely affected) |
| Precondition | PSEMHUB / /PSIGW/HttpListeningConnector reachable — no authentication needed |
| CVSS / EPSS | 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N) · EPSS 0.9233 (~99.8th pct) |
| KEV | Listed ~June 11-12; due 2026-06-15; ransomware-use flagged |
| Fix | Oracle out-of-band Security Alert (June 10-11); patch via the per-version My Oracle Support PAD |
| Find exposure | Shodan http.html:"PeopleSoft" · FOFA body="PeopleSoft Environment Management Hub" · authenticated: Qualys QID 387611 / Rapid7 InsightVM |
Exploited in the wild
Google Threat Intelligence Group / Mandiant place active exploitation at May 27 – June 9, 2026, before Oracle's alert, and attribute it to UNC6240 — a cluster associated with ShinyHunters, a data-theft-and-extortion crew. Mandiant notified 100+ organizations with vulnerable endpoints; ~68% were higher education, mostly in the US. Confirmed leak-site victims include the University of Nottingham (~455,000 student/alumni records, corroborated via Have I Been Pwned) and the US National Association of Insurance Commissioners (NAIC) (~3.1 TB). Nissan disclosed an employee-data breach that reporting only circumstantially links to the same campaign.
Detection & hunting
There's an official, verified Nuclei template (http/cves/2026/CVE-2026-35273.yaml) for exposure, plus vendor signatures (Trend Micro IPS 1012580 / DDI 5855, Qualys QID 387611). But because this was a zero-day with persistence, the higher-value work is the host hunt. All host/network IoCs below originate with Google/Mandiant — weight them as single-origin, and remember MeshCentral hashes are per-build (hunt on behaviour, not just the hash).
- Webshells: unexpected
.jspfiles underPSEMHUB.war/ - XMLDecoder persistence: attacker-modified
.xmlunderenvmetadata/data/environment/(fires on restart — find it before you restart) - RMM C2: MeshCentral agents masquerading as Azure; C2
wss://azurenetfiles[.]net:443/agent.ashx; staging142.11.200.186-190 - Marker file:
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT - Coercion: outbound SMB (TCP/445) from PeopleSoft hosts to non-DC IPs (NetNTLM theft);
[victim]_fanout.shSSH spray;zstdexfil archives
# Hunt persistence (tune paths; hash all .jsp/.xml regardless of mtime — timestamps get stomped)
find $PS_CFG_HOME -path '*PSEMHUB.war*' -name '*.jsp' -newermt 2026-05-25
find $PS_CFG_HOME -path '*envmetadata/data/environment*' -name '*.xml' -newermt 2026-05-25
find / -name 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' 2>/dev/null
# Retro-hunt access logs (match the URI first, then correlate method + source IP)
grep -F '/PSEMHUB/hub' access.log
grep -F '/PSIGW/HttpListeningConnector' access.log
# Authorised exposure check
nuclei -id CVE-2026-35273 -u https://your-peoplesoft-hostWhat to do now
- Block the attack surface (minutes, non-breaking): deny
/PSEMHUB/*and/PSIGW/HttpListeningConnectorat the reverse proxy/WAF, or disable the EMHub service / remove the PSEMHUB app. Restrict outbound SMB/445. - Apply Oracle's out-of-band patch from the per-version My Oracle Support Patch Availability Document — installs patched before June 10 were still vulnerable.
- Hunt before you declare clean. Webshells and the XMLDecoder
.xmlsurvive patching; remove them before any restart. - Rotate credentials for any asset that was reachable between May 27 and patch — the PeopleSoft service account and, if SMB egress was possible, the machine-account secret.
- If you find IoCs: assume bulk personal-data theft and engage legal/DFIR and breach-notification duties.
FAQ
Is CVE-2026-35273 being exploited?
Which versions are affected?
Is patching enough?
.xml before restarting, and rotate exposed credentials.Is this ransomware?
Sources
- Oracle Security Alert — CVE-2026-35273
- NVD — CVE-2026-35273 · Tenable
- CISA Known Exploited Vulnerabilities catalog
- Google / Mandiant — ShinyHunters targets education via the Oracle exploit
- Rapid7 ETR — active exploitation of the PeopleSoft zero-day
- Trend Micro / ZDI — the PSIGW SSRF chain into the JVM
- Qualys ThreatPROTECT — defending against the PSEMHUB flaw
- ProjectDiscovery — Nuclei template CVE-2026-35273.yaml
- SecurityWeek — University of Nottingham confirms breach · Cybernews — NAIC leak