7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-35273 is a critical remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools that is being actively exploited by the ShinyHunters threat actor. The flaw can enable full system compromise, including unauthorized access, data exfiltration, and disruption of business operations. Immediate patching and monitoring of exposed systems are strongly recommended.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Remote Code Execution Vulnerability in Oracle PeopleSoft Enterprise PeopleTools
Identifier: CVE-2026-35273
PoC or Exploitation:
Mandiant and Google Threat Intelligence Group reported active exploitation of CVE-2026-35273 by the ShinyHunters threat actor in a campaign targeting Oracle PeopleSoft environments, primarily within the education sector.
CVSS Score: 9.8 (Critical, CVSS v3.1)
Update / Patch:
Oracle has released a Security Alert addressing CVE-2026-35273 and recommends immediate remediation.
Affected versions include:
- PeopleSoft Enterprise PeopleTools 8.61
- PeopleSoft Enterprise PeopleTools 8.62
Fixed versions:
Oracle has released security updates addressing CVE-2026-35273. Customers should obtain and apply the applicable remediation package through Oracle Support and the PeopleSoft Patch Availability Document referenced in Oracle's Security Alert Advisory.
Patch Availability Document:
https://support.oracle.com/support/?documentId=CPU187
Oracle advisory and remediation guidance:
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
Description:
CVE-2026-35273 is a critical remote code execution vulnerability affecting Oracle PeopleSoft Enterprise PeopleTools, specifically the Updates Environment Management component.
Successful exploitation may result in complete takeover of Oracle PeopleSoft Enterprise PeopleTools. An attacker could potentially execute arbitrary actions, gain unauthorized access to sensitive information, modify application configurations, disrupt business operations, establish persistence, and leverage the compromised system for further attacks within the enterprise environment.
Mitigation Recommendation:
Immediately apply the remediation provided by Oracle through Oracle Support.
Review the Patch Availability Document (CPU187) for platform-specific patch availability and deployment instructions.
Apply the security update as soon as operationally feasible.
Prioritize remediation of internet-accessible and externally exposed PeopleSoft environments.
Restrict access to PeopleSoft administrative interfaces and Updates Environment Management components to trusted administrative networks where possible.
Monitor for unusual account activity, configuration changes, data access patterns, or unexpected application behavior.
Conduct compromise assessments on vulnerable systems, particularly where exposure to untrusted networks exists or where exploitation may have occurred prior to patching.
