Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)

1. Executive summary

Oracle has issued an out-of-band patch for CVE-2026-35273, a critical vulnerability (CVSS 9.8, IN CISA KEV since 2026-06-12) in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. The flaw is remotely exploitable without authentication and achieves remote code execution through an SSRF mechanism against the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints. PeopleTools 8.61 and 8.62 are confirmed affected; older unsupported versions are likely also vulnerable. Mandiant observed active in-the-wild exploitation between 27 May and 9 June 2026, predating Oracle's advisory — i.e. exploited as a zero-day. Mandiant has attributed the campaign to UNC6240 (ShinyHunters), a financially motivated data-theft and extortion collective; this attribution is unconfirmed in the sense that no public MITRE ATT&CK profile exists for UNC6240 or ShinyHunters. For EMEA financial services, the risk is concentrated in any institution running PeopleSoft HCM, finance, or campus ERP workloads, including banks and insurers using PeopleSoft for HR/payroll and any university or RDSP-licensed OES that processes financial data. Anyone in scope should patch immediately, restrict the two named endpoints, and hunt outbound SMB activity from PeopleSoft hosts going back to 27 May 2026.

2. Regulatory framing

3. Technical analysis & attack chain

1. Initial access — exploitation of CVE-2026-35273. Attacker targets either /PSEMHUB/hub or /PSIGW/HttpListeningConnector on an exposed Oracle PeopleSoft host (PeopleTools 8.61 / 8.62). The vulnerability is unauthenticated and the attacker reaches RCE through an SSRF primitive in the Updates Environment Management component.
2. Vulnerability mechanism. TrendAI characterises the underlying flaw as server-side request forgery (CWE-918 in the source's vendor/researcher classification). Mandiant observes that the SSRF is leveraged to coerce the PeopleSoft JVM into making outbound connections, including outbound SMB (TCP 445) to attacker-controlled destinations, enabling capture of Windows machine-account NetNTLMv1/v2 hashes.
3. Payload staging / C2. Actors used five sequential staging IPs (142.11.200.186–142.11.200.190) running Python SimpleHTTPServer on TCP 8888. These hosts hosted preconfigured MeshCentral agents designed to masquerade as Microsoft Azure services: - meshagent64-azure-ops.exe (sha256 f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc) - meshagent64-v2.exe (sha256 d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f) - meshagent32-azure-ops.exe (sha256 c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f) - meshagent (Linux unconfigured binary, sha256 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309)
4. Persistence. Agents were pre-hardcoded with the C2 endpoint wss://azurenetfiles[.]net:443/agent.ashx (domain azurenetfiles.net chosen to mimic Microsoft Azure NetApp Files). On Windows this is installed as a MeshAgent service giving interactive remote control; on Linux, command-line parameters were passed dynamically. The MeshCentral server observed in the staging environment was version 1.1.59.
5. Privilege escalation & lateral movement. A custom lateral-movement and defacement script, named per victim (e.g. [victim_abbreviation]_fanout.sh), was deployed. Public reporting on attacker bash_history (sha256 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35) shows the staging environment was stood up at 22:14 UTC on 27 May 2026, beginning with installation of the MeshCentral C2 staging server.
6. Internal reconnaissance. Actors enumerated PeopleSoft configuration, including the EMHUB app configuration, ENV metadata, and Integration Broker endpoints under <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/.
7. Persistence on disk — observed artefacts (defacement/exfiltration markers). Unexpected .jsp files under <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/; unauthorised files or directories under .../PSEMHUB.war/envmetadata/transactions/; unexpected directories named logs, persistentstorage, or scratchpad under PSEMHUB paths; recently created/modified .xml files under <docroot>/envmetadata/data/environment/ (potential XMLDecoder persistence); and a defacement/extortion marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
8. Data exfiltration. Stolen data was compressed with zstd and posted to the ShinyHunters Data Leak Site (DLS) on 9 June 2026. The DLS mirror is at 176.120.22[.]24.
9. Impact observed. Mandiant notified >100 organisations; 68 % were higher education (universities and colleges). The campaign is consistent with data theft and extortion.

Caveat (single-sourced / unconfirmed): TrendAI's signature description (IPS Rule 1012580 "Oracle Peoplesoft PeopleTools SSRF Vulnerability"; DDI Rule 5855 "Peoplesoft PeopleTools Environment Management Hub (PSEMHUB) SSRF Exploit") and the characterisation as a CWE-918 SSRF are reported in a single primary blog (Rapid7). The authoritative reference classifies the weakness as CWE-306 (Missing Authentication for Critical Function); the SSRF description remains the attacker's exploitation mechanism per Mandiant. Attribution to UNC6240 / ShinyHunters is unconfirmed in MITRE terms — no MITRE ATT&CK profile exists for either designation.

4. Mitigation & containment

P1 — within 24 hours

• Patch. Apply Oracle's out-of-band patch for CVE-2026-35273 (released 10 June 2026) on every PeopleTools 8.61 / 8.62 instance. Do not wait for a normal patch cycle.
• Network block — perimeter / WAF / firewall. Block external access to:
• /PSEMHUB/* (especially /PSEMHUB/hub)
• /PSIGW/HttpListeningConnector
• Restriction is non-breaking for normal PeopleSoft Internet Architecture (PIA) browser sessions per Mandiant.
• Disable / remove the vulnerable component.
• Multi-server environments: disable the Environment Management Hub (EMHub) Service.
• Single-server environments: completely remove the PSEMHUB application.

P2 — within 72 hours

• Outbound SMB hardening. Block egress TCP 445 (SMB) from PeopleSoft servers to the internet or any untrusted destination. If a business need exists, allow-list to a known internal file server only.
• Hunt phase 1. Sweep web access logs (reverse-proxy, web server, WAF) for HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector from external IPs covering 27 May 2026 onward. Look for request parameters/headers containing 127.0.0.1, localhost, ::1, or RFC1918 ranges.
• Hunt phase 2. Hunt for the four MeshAgent binaries (sha256 hashes in §5) and the azurenetfiles.net C2 string in EDR, AV quarantine, file-server, and backup telemetry. Search process command lines and scheduled-task XML for meshagent64-azure-ops.exe, meshagent64-v2.exe, meshagent32-azure-ops.exe, meshagent.
• Filesystem sweep. Search for unexpected .jsp files under <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/, unexpected directories logs, persistentstorage, scratchpad under PSEMHUB paths, and the marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
• Containment. If indicators match, isolate the PeopleSoft host, rotate any credentials/keytabs cached on it, and force password reset for any service accounts on the host.

P3 — within 7 days

• Validate. Confirm Oracle's patch is applied and the EMHub/PSEMHUB endpoint access is restricted in production. Re-run authenticated vulnerability scan (e.g. Rapid7 checks released 12 June 2026).
• Test. Confirm resilience testing (DORA Art. 24 alignment) of compensating controls in a non-prod mirror before re-promotion.
• Supply-chain / contractual review. Confirm that contractual incident-handling and notification clauses with Oracle were honoured (DORA Art. 28 / 30 alignment).
• Detection engineering. Roll out Sigma/YARA rules in §6 across SIEM, EDR, and WAF.

5. Indicators of compromise

ipv4  142.11.200.186
ipv4  142.11.200.187
ipv4  142.11.200.188
ipv4  142.11.200.189
ipv4  142.11.200.190
ipv4  176.120.22.24
domain  azurenetfiles.net
url  wss://azurenetfiles.net:443/agent.ashx
sha256  f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc
sha256  d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f
sha256  c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f
sha256  68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309
sha256  2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35
filename  meshagent64-azure-ops.exe
filename  meshagent64-v2.exe
filename  meshagent32-azure-ops.exe
filename  meshagent
filename  README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
uri  /PSEMHUB/hub
uri  /PSIGW/HttpListeningConnector

6. Detection

rule AT_PeopleSoft_PSEMHUB_RCE_2026
{
    meta
    author = "Adverse Trace"
    date = "2026-06-13"
    description = "Strings tied to ShinyHunters post-exploitation on Oracle PeopleSoft PSEMHUB (CVE-2026-35273)"
    reference = "https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/"
    strings
    $a1 = "azurenetfiles.net" ascii nocase
    $a2 = "azurenetfiles.net:443/agent.ashx" ascii nocase
    $a3 = "meshagent64-azure-ops.exe" ascii nocase
    $a4 = "meshagent64-v2.exe" ascii nocase
    $a5 = "meshagent32-azure-ops.exe" ascii nocase
    $a6 = "meshagent" ascii nocase
    $a7 = "PSEMHUB" ascii nocase
    $a8 = "/PSIGW/HttpListeningConnector" ascii nocase
    $a9 = "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" ascii nocase
    condition
    any of them
}

title: Oracle PeopleSoft PSEMHUB SSRF/RCE (CVE-2026-35273) exploitation
id: at-2026-06-13-097-psemhub
status: experimental
description: |
  Detects exploitation attempts and post-exploitation artefacts of the Oracle
  PeopleSoft PSEMHUB vulnerability CVE-2026-35273, including suspicious
  POSTs to PSEMHUB endpoints, SSRF payloads containing loopback/internal
  addresses, and outbound SMB from PeopleSoft servers.
author: Adverse Trace
date: 2026-06-13
references:

  - https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273
  - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
logsource:
  product: webserver
  category: web
detection:
  selection_targets:
    cs-uri-path|contains:

      - "/PSEMHUB/hub"
      - "/PSIGW/HttpListeningConnector"
  selection_ssrf_loopback:
    cs-uri-stem|contains:

      - "127.0.0.1"
      - "localhost"
      - "::1"
      - "127."
      - "10."
      - "192.168."
      - "169.254."
  selection_post:
    cs-method: "POST"
  condition: selection_targets and selection_post
falsepositives:

  - none expected for PSEMHUB/hub; investigate any match immediately
level: critical
---
title: Outbound SMB from PeopleSoft host to external destination
id: at-2026-06-13-097-smb
status: experimental
description: |
  Outbound TCP 445 (SMB) from an Oracle PeopleSoft server to a non-RFC1918
  destination is suspicious and consistent with the SSRF-to-NTLM-relay path
  observed in CVE-2026-35273 exploitation.
author: Adverse Trace
date: 2026-06-13
logsource:
  product: zeek
  category: conn
detection:
  selection_smb:
    dst_port: 445
    protocol: tcp
  selection_destination:
    dst_ip|startswith:

      - "142.11.200."
      - "176.120.22."
  condition: selection_smb and selection_destination
falsepositives:

  - none expected; investigate immediately
level: high

CVE assessment

3 referenced CVEs — 1 actively exploited (CISA KEV), 1 critical (CVSS ≥ 9.0)

7. Sources

• Rapid7 — Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273), 12 Jun 2026 — https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273
• Mandiant / Google Cloud — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit, 11 Jun 2026 — https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
• BleepingComputer — Oracle mitigates PeopleSoft zero-day exploited in data theft attacks — https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/
• SecurityWeek — Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks — https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/
• Help Net Security — Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert — https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/
• ANSSI France CERT — Vulnérabilité dans Oracle PeopleSoft (CERTFR-2026-AVI-0749), 12 Jun 2026 — https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0749/
• CISA / NVD — CVE-2026-35273 listing and Known Exploited Vulnerabilities entry (added 2026-06-12) — https://nvd.nist.gov/vuln/detail/CVE-2026-35273

8. Adverse Trace position

Severity: CRITICAL. CVE-2026-35273 is a CVSS 9.8, pre-authentication RCE in Oracle PeopleSoft PeopleTools 8.61/8.62, confirmed exploited in the wild as a zero-day since 27 May 2026, listed in CISA KEV, and now linked by Mandiant to a financially motivated extortion campaign with documented data publication on the ShinyHunters DLS. The attacker TTPs are concrete and reproducible: SSRF via /PSEMHUB/hub and /PSIGW/HttpListeningConnector, outbound SMB coercion for NetNTLM capture, MeshCentral agent deployment masquerading as Microsoft Azure, lateral-movement fanout script, and zstd-compressed exfiltration. Adverse Trace view: any EMEA financial-services client running PeopleTools 8.61 or 8.62 (especially with externally accessible HCM/HR or finance ERP) must be treated as at risk from at least 27 May 2026 onward. Next steps: (1) confirm patch state and apply Oracle's out-of-band fix; (2) block /PSEMHUB/* and /PSIGW/HttpListeningConnector and egress TCP 445; (3) retro-hunt for the IOCs in §5 and the behavioural indicators in §6 covering 27 May–13 Jun 2026; (4) for confirmed compromises, prepare DORA Art. 19 / NIS2 Art. 23 notifications, and (5) feed the IOCs into Threat-Intel platform watches for ongoing monitoring. We will update this advisory if Oracle expands the affected version list or if additional attribution evidence (e.g., a MITRE ATT&CK group ID for ShinyHunters / UNC6240) becomes available.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.