PeopleSoft CVE-2026-35273: Still Being Exploited Weeks Past the KEV Deadline

Table of contents
CVE-2026-35273 is a CVSS 9.8 vulnerability in Oracle PeopleSoft Enterprise PeopleTools. The NVD entry describes affected versions as PeopleTools 8.61 and 8.62, with unauthenticated network access over HTTP able to compromise PeopleTools and result in takeover.
CISA added it to the Known Exploited Vulnerabilities catalog on June 12, 2026, with a June 15, 2026 deadline for covered federal agencies. Oracle published a Security Alert for CVE-2026-35273, and Google Threat Intelligence/Mandiant reported active exploitation associated with UNC6240/ShinyHunters against PeopleSoft infrastructure.
Do These First
- Patch PeopleTools according to Oracle guidance. If you run PeopleTools 8.61 or 8.62, treat this as an emergency remediation item, not a normal maintenance task.
- Check exposure. HR self-service, payroll, finance, campus, and supplier-facing PeopleSoft portals often have internet-facing entry points. Confirm whether PeopleSoft web tiers or sensitive PeopleTools endpoints are reachable from untrusted networks.
- Review logs and systems. Google/Mandiant recommends checking PeopleSoft/WebLogic access logs for PSEMHUB and PSIGW activity, reviewing web-tier filesystems, and restricting or disabling exposed Environment Management Hub paths according to Oracle guidance.
The Pattern: Two ERPs, One Precondition
PeopleSoft CVE-2026-35273 and Oracle EBS CVE-2026-46817 are different vulnerabilities in different ERP stacks. But from a defender's point of view, they rhyme: unauthenticated HTTP access reaches a sensitive ERP web tier, and the ERP becomes the path to HR, payroll, financial, procurement, or payments data.
Patching closes the specific vulnerability. It does not automatically remove the exposure pattern that made exploitation possible in the first place.
Reduce the Unauthenticated Access Precondition
An authenticating reverse proxy in front of PeopleSoft changes the boundary. Users must authenticate before requests reach the PeopleSoft web tier, and the proxy passes a trusted identity to PeopleSoft through the established header/sign-on PeopleCode pattern. Unauthenticated traffic stops before it reaches PeopleTools.
This is exposure reduction and a compensating control. It is not a patch substitute. The vulnerable code still needs Oracle's fix, and authenticated traffic can still reach PeopleSoft. The goal is to avoid leaving critical PeopleSoft surfaces open to unauthenticated internet traffic while you patch and after you patch.
For the implementation pattern, see the PeopleSoft SSO guide, the PeopleSoft MFA guide, and the PeopleSoft SSO and MFA solution page.
FAQ
What is CVE-2026-35273?
CVE-2026-35273 is a CVSS 9.8 missing-authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools, affecting versions 8.61 and 8.62. See the NVD entry for current vulnerability details.
Is there a patch?
Yes. Oracle published a Security Alert Advisory for CVE-2026-35273. Follow Oracle's current mitigation and patch guidance first.
Is ShinyHunters exploiting this?
Google Threat Intelligence/Mandiant reported active compromise and extortion activity attributed to UNC6240/ShinyHunters targeting Oracle PeopleSoft infrastructure and consistent with exploitation of CVE-2026-35273. See the Google Cloud threat-intelligence post for their details and hardening guidance.
Does an access proxy replace the patch?
No. A proxy can block unauthenticated traffic before it reaches PeopleSoft and improve attribution, but it does not remove vulnerable code. Patch first, then use the access layer to reduce the precondition that makes these flaws so damaging.
What to Do Next
Patch PeopleTools first. Then reduce unauthenticated PeopleSoft exposure with an access layer that enforces SSO, MFA, and policy before PeopleSoft traffic reaches the web tier. To review the architecture, see PeopleSoft SSO and MFA or book a demo.
For a practical access-control path after patching and exposure review, see protecting HR self-service with MFA in front of PeopleSoft HCM and other web-based HR portals.



