โš›๏ธStalecollected in 34m

Critical PeopleSoft 0-day vulnerability leads to massive data theft

Critical PeopleSoft 0-day vulnerability leads to massive data theft
PostLinkedIn
โš›๏ธRead original on Ars Technica

๐Ÿ’กCritical enterprise software vulnerabilities can expose proprietary data used to train or fine-tune internal AI models.

โšก 30-Second TL;DR

What Changed

Exploitation of a critical 0-day vulnerability in PeopleSoft

Why It Matters

Organizations relying on PeopleSoft for enterprise resource planning are at immediate risk of data breaches. This highlights the ongoing threat to legacy enterprise software infrastructure.

What To Do Next

Audit your PeopleSoft deployment logs for unauthorized access patterns and apply the latest security patches from Oracle immediately.

Who should care:Enterprise & Security Teams

Key Points

  • โ€ขExploitation of a critical 0-day vulnerability in PeopleSoft
  • โ€ขLarge-scale data exfiltration affecting hundreds of organizations
  • โ€ขUrgent security risk assessment required for enterprise users

๐Ÿง  Deep Insight

Web-grounded analysis with 13 cited sources.

๐Ÿ”‘ Enhanced Key Takeaways

  • โ€ขThe 0-day vulnerability, identified as CVE-2026-35273, is a critical remote code execution (RCE) flaw with a CVSS score of 9.8, allowing unauthenticated attackers to compromise PeopleSoft Enterprise PeopleTools via HTTP.
  • โ€ขThe ShinyHunters extortion group, tracked by Google/Mandiant as UNC6240, actively exploited this zero-day, often in conjunction with a 'gadget chain' of older vulnerabilities, to breach PeopleSoft instances.
  • โ€ขExploitation activity was observed between May 27 and June 9, 2026, preceding Oracle's June 10 advisory, confirming its zero-day status and indicating a period of active, unpatched attacks.
  • โ€ขOver 100 organizations globally, with a significant concentration (68%) in the higher education sector, primarily in the United States, were notified of potential exposure, with the University of Nottingham confirming a breach.
  • โ€ขThe vulnerability specifically impacts PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, residing within the Environment Management Hub (PSEMHUB) component, which is part of the PeopleSoft Internet Architecture (PIA).

๐Ÿ› ๏ธ Technical Deep Dive

  • Vulnerability Identifier: CVE-2026-35273.
  • Vulnerability Type: Critical Remote Code Execution (RCE).
  • CVSS Score: 9.8 (Critical).
  • Affected Component: Oracle PeopleSoft Enterprise PeopleTools, specifically within the Environment Management Hub (PSEMHUB) component.
  • Affected Versions: PeopleTools 8.61 and 8.62, with earlier unsupported versions also likely vulnerable.
  • Exploitation Vector: Remotely exploitable without authentication, requiring network access via HTTP.
  • Attack Methodology: The ShinyHunters group utilized a "gadget chain" combining this 0-day with older vulnerabilities. They deployed customized MeshCentral agents, disguised as legitimate cloud endpoints, to interact with compromised systems.
  • Post-Exploitation Activities: Attackers conducted reconnaissance by inspecting mount points, psappsrv.cfg (application server configuration), and WebLogic server XML configurations (config.xml). Data exfiltration involved compressing stolen data with zstd and establishing outbound SSH connections to their data leak site. A custom shell script ([victim]_fanout.sh) was used for lateral movement and defacement.
  • Architectural Context: PeopleSoft applications are built on the PeopleSoft Internet Architecture (PIA), which includes a web tier, an application server tier (running business logic on Oracle Tuxedo), and a database tier. PeopleTools is the proprietary technology that underpins this architecture, with the application server tier responsible for security enforcement.

๐Ÿ”ฎ Future ImplicationsAI analysis grounded in cited sources

Organizations will face increased pressure to rapidly patch and secure their ERP systems, particularly those in the education sector.
The widespread impact on higher education institutions and the critical nature of the 0-day will necessitate immediate and prioritized security updates and risk assessments for ERP environments.
Oracle may face heightened scrutiny regarding its vulnerability disclosure and patching processes for critical enterprise software.
The exploitation of CVE-2026-35273 as a zero-day before Oracle's public advisory and the initial release of mitigations rather than a full patch could lead to demands for more proactive and transparent security practices.

โณ Timeline

2005
Oracle acquired PeopleSoft, integrating it into its enterprise software portfolio.
2017-10
A critical WebLogic RCE vulnerability (CVE-2017-10271), which PeopleSoft servers inherited, was actively exploited in the wild.
2022
Oracle released updates for PeopleSoft Financials to address SQL injection and data leak bugs, following reports of a DoS attack on a major U.S. bank's PeopleSoft system.
2025
Oracle fixed a critical deserialization RCE (CVE-2025-30748) in the PeopleTools framework and a vulnerability (CVE-2025-30697) in the Panel Processor.
2026-05-27
Active exploitation of CVE-2026-35273 by the ShinyHunters group began, continuing until at least June 9, 2026.
2026-06-10
Oracle issued an out-of-band security alert and released mitigations for the critical PeopleSoft 0-day vulnerability (CVE-2026-35273).

๐Ÿ“Ž Sources (13)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

  1. reddit.com
  2. bleepingcomputer.com
  3. thehackernews.com
  4. cybersecuritydive.com
  5. rescana.com
  6. securityweek.com
  7. trendmicro.com
  8. securityweek.com
  9. helpnetsecurity.com
  10. substack.com
  11. google.com
  12. rublon.com
  13. cisoplatform.com
๐Ÿ“ฐ

Weekly AI Recap

Read this week's curated digest of top AI events โ†’

๐Ÿ‘‰Related Updates

AI-curated news aggregator. All content rights belong to original publishers.
Original source: Ars Technica โ†—