CVE-2026-35273: Critical unauthenticated RCE risk in Oracle PeopleSoft PeopleTools

June 22, 2026 / June 22, 2026 by Alex Mira | Leave a comment

Oracle has published a Security Alert for CVE-2026-35273 affecting PeopleSoft Enterprise PeopleTools. The issue is remotely exploitable without authentication over HTTP and may result in remote code execution. Oracle rates the flaw at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and urges immediate mitigation. Versions 8.61 and 8.62 of PeopleTools are confirmed affected. Oracle also notes that PeopleSoft Enterprise Applications customers may be impacted and recommends prompt action.

BleepingComputer reports that this vulnerability aligns with a PeopleSoft zero‑day used in recent data theft activity attributed to the ShinyHunters group, and cites a public statement from Mandiant’s CTO confirming active exploitation. Oracle’s advisory does not provide exploitation details but does provide mitigations and implementation guidance.

What we know

According to Oracle’s advisory, CVE-2026-35273 is a vulnerability in the PeopleSoft Enterprise PeopleTools “Updates Environment Management” component. It is exploitable without authentication via HTTP and may lead to remote code execution and full compromise of PeopleTools. Oracle has released mitigation guidance through its Security Alert program and recommends immediate implementation. The advisory specifies:

Affected product: PeopleSoft Enterprise PeopleTools (component: Updates Environment Management)
Affected versions: 8.61 and 8.62
Impact: Potential takeover of PeopleTools; RCE possible
Severity: CVSS 3.1 Base Score 9.8 (C/I/A: High)

Oracle emphasizes that mitigations and patches in the Security Alert program are available for supported product versions. It also states that earlier releases may be affected but are not tested; upgrading to supported versions is recommended.

Separately, BleepingComputer reports that ShinyHunters claims involvement in breaches leveraging a PeopleSoft zero‑day and states that Mandiant’s CTO publicly confirmed CVE-2026-35273 is being actively exploited. BleepingComputer further notes that researchers shared IP addresses observed in related activity and recommends reviewing logs against those indicators. Oracle’s advisory does not include these indicators.

Why it matters

PeopleSoft powers critical HR, finance, and operations workflows across many enterprises. A network‑exposed, unauthenticated path to potential remote code execution presents a high‑impact risk to confidentiality, integrity, and availability. When HTTP is listed in Oracle risk matrices, secure variants like HTTPS are also considered in scope, broadening the potential exposure for internet‑facing or internally accessible deployments.

Practical next steps

Review and implement Oracle’s Security Alert guidance for CVE-2026-35273 without delay: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
Confirm whether your environment runs PeopleTools 8.61 or 8.62 and assess any PeopleSoft Enterprise Applications that may also be affected.
Ensure you are on supported product versions so Security Alert mitigations and future fixes are available; plan upgrades if needed per Oracle’s support policy.
Monitor Oracle’s advisory for updates and patch availability.
If you track potential exposure, BleepingComputer’s report includes externally shared indicators tied to recent activity; consider reviewing logs for connections associated with those indicators: https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/

What’s still unclear

Oracle has not disclosed detailed technical mechanics of the flaw beyond the affected component and conditions for exploitation. While BleepingComputer reports active exploitation linked to ShinyHunters and cites a confirmation from Mandiant’s CTO, Oracle’s advisory does not provide incident specifics. The extent of impacted organizations and environments remains uncertain in public sources.

Bottom line

CVE-2026-35273 is a critical, unauthenticated issue in Oracle PeopleSoft PeopleTools with a clear path to severe impact. Organizations running affected versions should prioritize Oracle’s mitigations now, verify product support status, and keep watch for advisory updates. Given reports of active exploitation, timely action meaningfully reduces risk while longer‑term fixes progress through the Security Alert program.

Alex Mira

Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.

Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!

Tagged

CVE-2026-10557 Yarbo MQTT hard-coded credentials

CVE-2026-10557: Hard‑coded MQTT credentials expose Yarbo robot telemetry and commands

CVE-2026-10557 details hard‑coded, shared MQTT credentials in Yarbo’s mobile apps that expose fleet‑wide robot telemetry and enable command publishing using only a serial number. CISA rates it Critical (CVSS 9.8). Here’s what’s confirmed, why it matters, and prudent steps until vendor guidance arrives.

CVE-2026-54420: Active exploitation of LiteSpeed’s cPanel plugin and what hosting admins should do now

CVE-2026-54420 in LiteSpeed’s cPanel plugin is under active exploitation. Shared hosting admins should update to the fixed versions, review logs, and prioritize KEV patching.

CVE-2026-50656 “RoguePlanet” in Microsoft Defender: what’s known and how to prepare

Microsoft is preparing a fix for CVE-2026-50656 (“RoguePlanet”), an elevation-of-privilege issue in Microsoft Defender’s engine. Here’s what’s confirmed, what’s still unclear, and how to prepare while waiting for the patch.

ShapedPlugin supply-chain compromise: backdoored Pro updates via official channels (CVE-2026-10735)

Wordfence and BleepingComputer report a ShapedPlugin supply‑chain compromise that backdoored Pro updates via official channels (CVE-2026-10735). Free repo builds were reported clean.

Active exploits hit Gravity SMTP (CVE-2026-4020); Avada Builder critical bug patched (CVE-2026-8713)

Active exploitation hits Gravity SMTP (CVE-2026-4020) while Avada Builder’s critical file deletion bug (CVE-2026-8713) is patched. Update now, check logs for the Gravity SMTP REST endpoint, and consult Wordfence’s indicators for targeted IPs.

Anthropic disables Fable 5 and Mythos 5 after U.S. export control directive

Anthropic has disabled access to Fable 5 and Mythos 5 after a U.S. export control directive tied to national security. Earlier Claude models remain available while the company works on next steps.

CVE-2026-10795 UpdraftPlus authentication bypass

CVE-2026-10795: Authentication bypass in UpdraftPlus impacts sites connected to UpdraftCentral

CVE-2026-10795 is a high-severity authentication bypass in UpdraftPlus fixed in 1.26.5, exploitable only on sites previously connected to UpdraftCentral.

Notepad++ path traversal bypass can execute commands without a prompt (CVE-2026-52884)

A Notepad++ advisory (CVE-2026-52884) describes a path traversal bypass that can execute commands without the editor’s usual confirmation dialog. Attack paths involve tampering with shortcuts.xml or redirecting the settings directory. Patch status is unclear; monitor the advisory and handle configuration files with care.

Windows 11’s Low Latency Profile arrives with June’s update: what it changes and how to turn it on

Microsoft’s June 2026 Patch Tuesday adds Windows 11’s Low Latency Profile for snappier Start, Search, and app launches. It’s rolling out gradually, but you can enable it now with ViVeTool and verify the CPU burst in Task Manager.

Microsoft patches actively exploited Exchange Server zero-day (CVE-2026-42897)

Microsoft patched an actively exploited Exchange Server zero-day (CVE-2026-42897) that enables XSS against Outlook Web Access users. Admins should install June 2026 updates promptly and keep EEMS mitigations enabled.

CVE-2026-3300: Active exploits target Everest Forms Pro’s Complex Calculation feature

CVE-2026-3300 in Everest Forms Pro is under active exploitation. The bug enables unauthenticated remote code execution via the Complex Calculation feature. Update to 1.9.13, audit admin users for “diksimarina,” and review logs for the IPs cited by Wordfence.

Compromised npm Packages Abuse Hugging Face as Exfiltration Infrastructure

Microsoft Threat Intelligence has warned that compromised npm packages utils-terminal@3.2.1 and logger-active@3.2.1 are deploying the MicrosoftSystem64 RAT. The malware captures keystrokes, screenshots, and crypto wallet credentials while abusing Hugging Face infrastructure as an exfiltration channel.