Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)

1. Executive summary

Oracle's June 2026 Critical Security Patch Update (CSPU) addresses 243 CVEs across 245 patches in 11 product families, with 122 critical-severity fixes. The dominant exposure is in Oracle Fusion Middleware (106 patches, 53 remotely exploitable without authentication) and Oracle E-Business Suite (55 patches). The CSPU also incorporates an out-of-band fix for CVE-2026-35273, a critical remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62), which has been actively exploited in the wild as a zero-day since at least 27 May 2026. Per the authoritative reference data, CVE-2026-35273 has unknown CVSS and is not listed in CISA KEV; Rapid7 has independently published a CVSSv3.1 score of 9.8 for this flaw. EMEA financial services firms running Oracle PeopleSoft, Fusion Middleware, or E-Business Suite face elevated risk and must prioritise patching within 24 hours.

2. Regulatory framing

Article	Trigger	Practical impact
DORA Art. 17 (ICT-related incident management process)	CVE-2026-35273 is under active in-the-wild exploitation, requiring formal incident response procedures for any affected entity.	Activate documented ICT-related incident management process; document response actions, evidence preservation, and lessons learned.
DORA Art. 18 (classification of ICT-related incidents and cyber threats)	The ShinyHunters/UNC6240 campaign constitutes a credible cyber threat requiring classification.	Classify the threat and any resulting incidents per the entity's taxonomy; ensure severity grading reflects data-exfiltration impact.
DORA Art. 19 (reporting of major ICT-related incidents to competent authorities)	Confirmed exploitation in a client environment would constitute a major ICT-related incident.	Report confirmed major incidents to the competent authority within statutory deadlines; preserve reporting chain documentation.
DORA Art. 28 (ICT third-party risk — general principles)	Oracle is an ICT third-party provider; the CSPU introduces material risk changes.	Update third-party risk register; reassess Oracle concentration and criticality.
DORA Art. 30 (key contractual provisions with ICT third-party providers)	Oracle patch obligations and support timelines are governed by contract.	Verify contractual patching SLAs and notification clauses are being honoured; escalate non-compliance.
NIS2 Art. 21(2)(d) (supply chain security measures)	Oracle products are part of the ICT supply chain; the zero-day demonstrates supply-chain attack surface.	Review and reinforce supply-chain security controls covering Oracle product families in scope.
NIS2 Art. 23 (incident reporting obligations)	Active exploitation may trigger early-warning/incident notification duties.	File early warning and incident notification per national CSIRT timelines if exploitation is confirmed.
UK NIS 2018 (OES/RDSP duties)	Entities designated as OES or RDSP running affected Oracle products have security incident handling duties.	Ensure incident-handling and notification obligations under UK NIS are met where in-scope systems are affected.

3. Technical analysis & attack chain

Attack chain (CVE-2026-35273)

Initial access — Unauthenticated remote exploitation of Oracle PeopleSoft Enterprise PeopleTools via the /PSIGW/HttpListeningConnector and /PSEMHUB/hub endpoints. The underlying flaw is classified as a server-side request forgery (CWE-918 / SSRF) by TrendAI, which Mandiant describes as the mechanism enabling remote code execution.
Vulnerability mechanism — SSRF in the Updates Environment Management component of PeopleTools (versions 8.61 and 8.62). The exploit chain may coerce the target PeopleSoft server to make outbound SMB connections (TCP/445) to attacker-controlled destinations, enabling capture of Windows machine-account NetNTLM hashes.
Payload deployment — Deployment of MeshCentral remote management agents configured to masquerade as Microsoft Azure services. Observed filename: meshagent64-azure-ops.exe.
Command-and-control — C2 communications directed to wss://azurenetfiles[.]net:443/agent.ashx.
Internal reconnaissance — Reconnaissance of PeopleSoft configurations and environment.
Lateral movement — Deployment of lateral-movement scripts within the compromised environment.
Data access and exfiltration — Data exfiltrated using zstd compression.
Extortion — Stolen data published on the ShinyHunters Data Leak Site (DLS) on 9 June 2026.

Broader CSPU exposure

The June 2026 CSPU addresses 243 CVEs across 11 product families. The highest-risk families for EMEA financial services are:

Product family	Patches	Remotely exploitable without auth
Oracle Fusion Middleware	106	53
Oracle E-Business Suite	55	6
Oracle JD Edwards	20	12
Oracle Enterprise Manager	16	6
Oracle Siebel CRM	12	7
Oracle PeopleSoft	11	7
Oracle Virtualization	10	0
Oracle MySQL	8	4
Oracle Communications	3	3
Oracle Systems	3	1
Oracle Supply Chain	1	1

Attribution caveat

Mandiant attributes the campaign to UNC6240 (ShinyHunters), a financially motivated cybercriminal collective. Per the authoritative reference data, neither ShinyHunters nor UNC6240 has a MITRE ATT&CK profile; attribution is therefore treated as unconfirmed. ShinyHunters has historically been linked to breaches involving weak authentication, stolen credentials, and cloud misconfigurations rather than sophisticated malware deployment.

Detection signatures (vendor-published)

TrendAI IPS Rule 1012580 — "Oracle Peoplesoft PeopleTools SSRF Vulnerability"
TrendAI DDI Rule 5855 — "Peoplesoft PeopleTools Environment Management Hub (PSEMHUB) SSRF Exploit"

4. Mitigation & containment

P1 — within 24 hours

Patch CVE-2026-35273 on all PeopleTools 8.61 and 8.62 instances using the Oracle out-of-band patch from 10 June 2026.
Disable the Environment Management Hub (EMHub) Service in multi-server configurations, or completely remove the PSEMHUB application in single-server configurations.
Block external access at the WAF/edge to /PSIGW/* and /PSEMHUB/* URIs (specifically /PSIGW/HttpListeningConnector and /PSEMHUB/hub).
Block outbound SMB (TCP/445) from PeopleSoft application servers to the public internet at the egress firewall.
Hunt for the MeshCentral agent filename meshagent64-azure-ops.exe and the C2 endpoint wss://azurenetfiles[.]net:443/agent.ashx across endpoints and network telemetry.

P2 — within 72 hours

Apply all critical-severity patches from the June 2026 CSPU, prioritising Oracle Fusion Middleware (106 patches) and Oracle E-Business Suite (55 patches).
Apply the remaining PeopleSoft patches (11 total, 7 remotely exploitable without authentication).
Review PeopleSoft application server logs for anomalous outbound connections to non-corporate destinations on TCP/445 between 27 May 2026 and the patch date.

P3 — within 7 days

Apply remaining high-severity patches (102 CVEs).
Apply medium and low severity patches per change windows.
Validate Oracle support contracts and confirm entitlement to the new monthly CSPU cadence introduced in May 2026.

5. Indicators of compromise

Type	Value	Confidence	Source
domain	`azurenetfiles[.]net`	High	Rapid7 / Mandiant
url	`wss://azurenetfiles[.]net:443/agent.ashx`	High	Rapid7 / Mandiant
filename	`meshagent64-azure-ops.exe`	High	Rapid7 / Mandiant
uri_path	`/PSIGW/HttpListeningConnector`	High	Rapid7 / Mandiant
uri_path	`/PSEMHUB/hub`	High	Rapid7 / Mandiant
port	`445/TCP` (outbound SMB from PeopleSoft servers)	High	Rapid7 / Mandiant

domain     azurenetfiles.net
url        wss://azurenetfiles.net:443/agent.ashx
filename   meshagent64-azure-ops.exe
uri_path   /PSIGW/HttpListeningConnector
uri_path   /PSEMHUB/hub
tcp_port   445

6. Detection

rule AT_PeopleSoft_CVE_2026_35273_MeshCentral
{
    meta
        author = "Adverse Trace"
        date = "2026-06-18"
        description = "Detects MeshCentral agent masquerading as Azure ops, deployed via CVE-2026-35273 exploitation chain"
        reference = "https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273"
    strings
        $agent = "meshagent64-azure-ops.exe" ascii wide
        $c2a = "azurenetfiles" ascii wide
        $c2b = "agent.ashx" ascii wide
        $uri1 = "/PSIGW/HttpListeningConnector" ascii wide
        $uri2 = "/PSEMHUB/hub" ascii wide
    condition
        any of ($agent*) or any of ($c2*) or any of ($uri*)
}

title: Outbound SMB from Oracle PeopleSoft Application Server
id: AT-2026-06-18-120-01
status: experimental
description: >
    Detects outbound SMB (TCP/445) connections from hosts running Oracle PeopleSoft,
    which is anomalous behaviour and a strong indicator of CVE-2026-35273 exploitation
    attempting to coerce NetNTLM hash capture.
author: Adverse Trace
date: 2026-06-18
reference: https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273
logsource:
    product: zeek
    service: conn
detection:
    selection:
        dst_port: 445
        protocol: tcp
    filter_peoplesoft:
        hostname|contains:

            - "peoplesoft"
            - "psft"
            - "psadmin"
            - "psemhub"
    condition: selection and not filter_peoplesoft
    timeframe: 24h
falsepositives:

    - Legitimate file-share replication to known corporate subnets (unlikely on TCP/445 outbound to internet)
level: high
tags:

    - attack.initial_access
    - attack.t1190
    - cve.2026.35273

CVE assessment

1 referenced CVE

CVE	CVSS	Exploited	EPSS	Summary
CVE-2026-35273	—	—	—

7. Sources

Tenable Research — Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273) — https://www.tenable.com/blog/oracle-june-2026-critical-security-patch-update-addresses-243-cves-cve-2026-35273 — 18 June 2026
Rapid7 — Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273) — https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273 — 11 June 2026
SecurityWeek — Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks — https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/ — June 2026
BleepingComputer — Oracle mitigates PeopleSoft zero-day exploited in data theft attacks — https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/ — June 2026
Help Net Security — Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert — https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/ — 11 June 2026
ANSSI France CERT — Vulnérabilité dans Oracle PeopleSoft (CERTFR-2026-AVI-0749) — https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0749/ — 12 June 2026

8. Adverse Trace position

Severity: High. CVE-2026-35273 is an unauthenticated, remotely exploitable flaw in widely deployed Oracle PeopleSoft Enterprise PeopleTools that has been weaponised in a broad extortion campaign affecting over 100 organisations. EMEA financial services entities running PeopleTools 8.61 or 8.62 — or any Oracle Fusion Middleware / E-Business Suite deployments exposed to untrusted networks — should treat this as a P1 patch-and-hunt priority. Attribution to ShinyHunters/UNC6240 is treated as unconfirmed per the authoritative reference data; the TTPs (SSRF → outbound SMB coercion → MeshCentral deployment → data theft and extortion) are confirmed and actionable. Adverse Trace will continue to monitor for additional IOCs, track Oracle's monthly CSPU cadence, and update clients if CISA KEV listing or further in-the-wild exploitation of other June 2026 CVEs is confirmed.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.