Overview
CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools, scoring CVSS 9.8. The flaw exists in the Updates Environment Management component and affects PeopleTools versions 8.61 and 8.62. An unauthenticated attacker with network access via HTTP can fully compromise a PeopleSoft instance with no credentials required.
The vulnerability was disclosed by Oracle and has been actively exploited by threat groups including ShinHunters, who leveraged it in attacks against university and enterprise targets — most notably a breach at the University of Nottingham that exposed data of over 450,000 students.
Technical Details
The vulnerability allows:
- Unauthenticated access — no credentials required
- Remote code execution via HTTP requests to the Updates Environment Management component
- Full system compromise once exploited — attackers can pivot to connected databases and enterprise systems
The flaw is classified as "easily exploitable" in Oracle's advisory, meaning automated exploitation tooling is likely in circulation.
Affected Versions
| Product | Versions Affected |
|---|---|
| Oracle PeopleSoft Enterprise PeopleTools | 8.61, 8.62 |
Versions outside this range are not listed as affected, but organizations should verify their specific patch levels.
Active Exploitation
This CVE has been confirmed as actively exploited in the wild. The threat actor group ShinHunters was observed using this vulnerability to breach Nottingham University, resulting in the exposure of records for over 450,000 students. Oracle issued emergency patches following disclosure.
CISA is expected to add this CVE to the Known Exploited Vulnerabilities (KEV) catalog given confirmed in-the-wild usage.
Remediation
- Apply Oracle's critical patch immediately — Oracle released an out-of-band patch upon disclosure
- Restrict network access to PeopleSoft Updates Environment Management endpoints at the perimeter
- Review access logs for anomalous HTTP requests to the affected component going back at least 30 days
- Rotate credentials for all accounts with access to PeopleSoft and connected systems
- Audit connected databases for signs of lateral movement or data exfiltration
References
- NVD Detail: CVE-2026-35273
- Oracle Critical Patch Update Advisory — June 2026
- Nottingham University breach coverage — related slug:
shinyhunters-exploits-oracle-peoplesoft-zero-day-cve-2026-35273-to-breach-univer