CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation

Oracle has disclosed CVE-2026-35273, a critical Remote Code Execution (RCE) zero-day vulnerability in Oracle PeopleSoft Enterprise PeopleTools, affecting the Updates Environment Management component (often referenced as Environment Management / EMHub). Multiple reports cite active exploitation in the wild, with activity attributed to ShinyHunters.

This post covers what’s affected, what we know about exploitation, and what defenders should do immediately to reduce exposure.

What Is CVE-2026-35273?

CVE-2026-35273 (CVSS 9.8) is an unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools, within the Updates Environment Management area (Environment Management / EMHub context). In practical terms, a remote attacker who can reach the exposed PeopleSoft HTTP service may be able to execute code on the underlying system without needing credentials.

Oracle describes the vulnerability as easily exploitable and remotely reachable. That makes external exposure the main risk multiplier. If PeopleTools is reachable from the internet, attackers can move quickly from scanning to compromise.

Which PeopleSoft Versions and Components Are Affected?

Oracle lists the following supported versions as affected:

• PeopleTools 8.61
• PeopleTools 8.62

The impacted component is Updates Environment Management, which industry reporting and Oracle’s risk context also refer to as Environment Management / EMHub.

Oracle also notes an important scope caveat: while unsupported releases are not tested, earlier versions are likely also affected. If you run older PeopleTools builds, do not treat “not listed” as “not vulnerable,” especially with exploitation already reported.

How Does Exploitation Work?

Public technical detail remains limited as of mid-June 2026. Oracle’s alert confirms the essentials defenders need for prioritization:

• Network exploitable over HTTP
• No authentication required
• RCE leading to full compromise

Oracle does not provide a root-cause write-up, and there is no authoritative public Proof-of-Concept (PoC) exploit included in the advisory. The absence of a public PoC does not reduce risk. In real campaigns, attackers often have working exploit code long before defenders have reproducible details.

From a defensive standpoint, the most useful conclusion is that any internet-facing EMHub-related PeopleSoft surface should be treated as high risk until patched or isolated.

Is There Evidence of Active Exploitation in the Wild?

Yes. Multiple security outlets report active exploitation, citing Google Threat Intelligence Group (GTIG)/Mandiant reporting, and link the activity to ShinyHunters. Reporting also frames the intrusions as fitting a compromise plus extortion workflow, which is consistent with the impact of unauthenticated RCE against enterprise platforms.

A commonly cited exploitation window is May 27, 2026 through June 9, 2026, followed by Oracle’s advisory publication on June 10, 2026 (initial release). Regardless of the exact start date, assume opportunistic exploitation will expand as awareness spreads.

What Are the Most Likely Exposure Scenarios for Defenders to Check?

This vulnerability is most dangerous when PeopleSoft services are reachable from untrusted networks. Based on public reporting, many targets appeared to have internet-facing PeopleSoft deployments, with a notable concentration in higher education environments.

Even if you believe PeopleSoft is “internal,” verify it. Common failure modes include:

• Forgotten public DNS records pointing to legacy PeopleSoft endpoints
• Reverse proxies publishing EMHub unintentionally
• Temporary firewall exceptions that became permanent
• Non-production environments exposed for vendor access and never closed

Your immediate goal is to determine whether EMHub-related endpoints are externally reachable, then reduce that reachability quickly.

SOCRadar Cyber Threat Intelligence, including Vulnerability Intelligence, helps security teams track newly disclosed vulnerabilities, exploitation developments, and patch-related updates as threats evolve. Paired with Attack Surface Management, it also helps identify exposed internet-facing assets that may require immediate attention, supporting faster and more informed remediation decisions.

What Should Defenders Do Right Now?

Apply Oracle Fixes or Follow Oracle Patch Guidance Immediately

Oracle urges immediate action and references a Patch Availability Document. If you run supported PeopleTools versions (8.61/8.62), prioritize obtaining and applying the vendor-provided remediation guidance through official support channels.

Restrict or Disable EMHub If You Can

Public reporting around the advisory includes practical mitigation guidance that aligns to EMHub exposure reduction:

• Disable or restrict Environment Management Hub (EMHub) where possible.
• If you cannot disable EMHub, block external access to the following paths:
  • /PSEMHUB/*
  • /PSIGW/HttpListeningConnector

Treat these as emergency exposure controls, not a replacement for patching.

Assume Compromise Is Possible If You Were Exposed

Because exploitation is reported as active and the bug enables unauthenticated RCE, do not stop at patching if you had external exposure. At minimum:

• Review PeopleSoft and web server logs for suspicious requests to EMHub-related paths.
• Hunt for new or modified server-side files and unexpected processes on the PeopleSoft host.
• Validate service accounts and credentials that may be accessible from the PeopleTools environment.
• Prepare for containment actions if you identify signs of execution or persistence.