CVE Tools
Back to blog

CVE-2026-35273: the PeopleSoft zero-day ShinyHunters used to extort universities

A pre-auth deserialization chain in the Environment Management Hub — exploited before the patch, now on CISA KEV

CVE-2026-35273 is a critical (CVSS 9.8), unauthenticated remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 — specifically the Environment Management Hub (PSEMHUB), part of the Updates Environment Management component. PeopleSoft runs HR, payroll, student records and financials for universities, governments and large enterprises, so a pre-auth takeover of its web tier is about as bad as it gets. And this one wasn't theoretical: attackers were inside real environments before Oracle shipped a fix.

What CVE-2026-35273 actually is

It's a chain, which is why different write-ups label it differently. First, a crafted request through the PSIGW Integration Gateway (/PSIGW/HttpListeningConnector) acts as an SSRF / access-control bypass, letting an unauthenticated attacker reach a hub function that should never be exposed. Then, at POST /PSEMHUB/hub, unsafe Java deserialization of untrusted data executes code inside the WebLogic JVM — as the PeopleSoft service account.

So the CWE labels all describe one bug: CWE-306 (missing authentication for a critical function, per NVD), CWE-918 (the SSRF network primitive, per Trend Micro/ZDI), and CWE-502 (the deserialization RCE sink). The public exposure check — ProjectDiscovery's official Nuclei template, which sends a native ysoserial gadget and matches the Java-serialization response marker rO0ABX — indicates the reachable pre-auth sink is native Java serialization (ObjectInputStream).

The exploitation chain

From a single unauthenticated request to full data-theft extortion. Each stage has a cheap chokepoint: the most effective prevention is simply not exposing PSEMHUB/PSIGW, and the most important detection is hunting persistence before you restart or declare clean.

CVE-2026-35273 exploitation chain — PSIGW SSRF to PSEMHUB deserialization to extortion

  1. Reachable PeopleTools 8.61/8.62 — PSEMHUB reachable from an untrusted network. Even installs patched before 2026-06-10 were vulnerable.
  2. SSRF via /PSIGW/HttpListeningConnector — Integration Gateway abused as an access-control bypass (loopback/internal targets) to reach the unauth hub.
  3. POST /PSEMHUB/hub (Java gadget) — Unauthenticated POST carrying a serialized Java gadget in OPERATION=. Response reflects the marker rO0ABX.
  4. Java deserialization RCE in the JVM — Code runs as the PeopleSoft service account. A separate XMLDecoder .xml under envmetadata/ re-fires on restart.
  5. Webshell + MeshCentral RMM — JSP webshells under PSEMHUB.war and MeshCentral agents masquerading as Azure (azurenetfiles[.]net). Patching does not evict this.
  6. SSH spray + NetNTLM theft — [victim]_fanout.sh sprays SSH creds; SSRF coerces outbound SMB/445 for machine-account NetNTLM hashes.
  7. Bulk exfiltration (zstd) — HR / student / finance data archived with zstd and staged to attacker infrastructure.
  8. Pay-or-leak on the Data Leak Site — Data posted to the ShinyHunters DLS. Confirmed victims: University of Nottingham (~455k), NAIC (~3.1 TB).
  9. Prevent: don't expose PSEMHUB/PSIGW — Deny /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter, or disable EMHub. Non-breaking for end-user sessions.
  10. Detect: hunt persistence before restart — Hunt envmetadata/ .xml, PSEMHUB.war .jsp, MeshCentral agents and azurenetfiles[.]net before declaring clean.

Am I affected?

Oracle lists PeopleTools 8.61 and 8.62 as affected, and notes earlier unsupported releases are untested but likely affected. Critically, installs fully patched before the June 10 alert were still vulnerable — prior CPU levels didn't close this. The precondition is simply that PSEMHUB/PSIGW is network-reachable; no credentials are required.

DimensionDetail
ProductOracle PeopleSoft Enterprise PeopleTools — Environment Management Hub (PSEMHUB)
Affected versions8.61 and 8.62 (earlier unsupported releases untested but likely affected)
PreconditionPSEMHUB / /PSIGW/HttpListeningConnector reachable — no authentication needed
CVSS / EPSS9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N) · EPSS 0.9233 (~99.8th pct)
KEVListed ~June 11-12; due 2026-06-15; ransomware-use flagged
FixOracle out-of-band Security Alert (June 10-11); patch via the per-version My Oracle Support PAD
Find exposureShodan http.html:"PeopleSoft" · FOFA body="PeopleSoft Environment Management Hub" · authenticated: Qualys QID 387611 / Rapid7 InsightVM

Exploited in the wild

Google Threat Intelligence Group / Mandiant place active exploitation at May 27 – June 9, 2026, before Oracle's alert, and attribute it to UNC6240 — a cluster associated with ShinyHunters, a data-theft-and-extortion crew. Mandiant notified 100+ organizations with vulnerable endpoints; ~68% were higher education, mostly in the US. Confirmed leak-site victims include the University of Nottingham (~455,000 student/alumni records, corroborated via Have I Been Pwned) and the US National Association of Insurance Commissioners (NAIC) (~3.1 TB). Nissan disclosed an employee-data breach that reporting only circumstantially links to the same campaign.

Detection & hunting

There's an official, verified Nuclei template (http/cves/2026/CVE-2026-35273.yaml) for exposure, plus vendor signatures (Trend Micro IPS 1012580 / DDI 5855, Qualys QID 387611). But because this was a zero-day with persistence, the higher-value work is the host hunt. All host/network IoCs below originate with Google/Mandiant — weight them as single-origin, and remember MeshCentral hashes are per-build (hunt on behaviour, not just the hash).

  • Webshells: unexpected .jsp files under PSEMHUB.war/
  • XMLDecoder persistence: attacker-modified .xml under envmetadata/data/environment/ (fires on restart — find it before you restart)
  • RMM C2: MeshCentral agents masquerading as Azure; C2 wss://azurenetfiles[.]net:443/agent.ashx; staging 142.11.200.186-190
  • Marker file: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
  • Coercion: outbound SMB (TCP/445) from PeopleSoft hosts to non-DC IPs (NetNTLM theft); [victim]_fanout.sh SSH spray; zstd exfil archives
# Hunt persistence (tune paths; hash all .jsp/.xml regardless of mtime — timestamps get stomped)
find $PS_CFG_HOME -path '*PSEMHUB.war*' -name '*.jsp' -newermt 2026-05-25
find $PS_CFG_HOME -path '*envmetadata/data/environment*' -name '*.xml' -newermt 2026-05-25
find / -name 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' 2>/dev/null

# Retro-hunt access logs (match the URI first, then correlate method + source IP)
grep -F '/PSEMHUB/hub' access.log
grep -F '/PSIGW/HttpListeningConnector' access.log

# Authorised exposure check
nuclei -id CVE-2026-35273 -u https://your-peoplesoft-host

What to do now

  1. Block the attack surface (minutes, non-breaking): deny /PSEMHUB/* and /PSIGW/HttpListeningConnector at the reverse proxy/WAF, or disable the EMHub service / remove the PSEMHUB app. Restrict outbound SMB/445.
  2. Apply Oracle's out-of-band patch from the per-version My Oracle Support Patch Availability Document — installs patched before June 10 were still vulnerable.
  3. Hunt before you declare clean. Webshells and the XMLDecoder .xml survive patching; remove them before any restart.
  4. Rotate credentials for any asset that was reachable between May 27 and patch — the PeopleSoft service account and, if SMB egress was possible, the machine-account secret.
  5. If you find IoCs: assume bulk personal-data theft and engage legal/DFIR and breach-notification duties.

FAQ

Is CVE-2026-35273 being exploited?
Yes. It was exploited as a zero-day (May 27 – June 9, 2026) before Oracle's patch, and it's on CISA KEV. Run a free exposure check.
Which versions are affected?
Oracle PeopleSoft PeopleTools 8.61 and 8.62 (earlier unsupported releases are untested but likely affected). Even instances patched before the June 10 alert were vulnerable.
Is patching enough?
No. This was a zero-day with webshell and XMLDecoder-on-restart persistence. Patch and hunt — remove any webshells or attacker .xml before restarting, and rotate exposed credentials.
Is this ransomware?
CISA flags known ransomware-campaign use, but the observed behaviour is data-theft extortion via a leak site (pay-or-leak), not file encryption. Treat the urgency the same and assume data theft if you were hit.

Sources