Oracle Issues Emergency Patch for Critical Unauthenticated RCE in PeopleSoft PeopleTools (CVE-2026-35273)
Oracle released an emergency security alert for CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, with a CVSS score of 9.8.
Oracle has issued an emergency Security Alert to address a critical remote code execution vulnerability (CVE-2026-35273) affecting PeopleSoft Enterprise PeopleTools. The vulnerability carries a CVSS v3.1 score of 9.8, highlighting its severity and the urgent need for remediation across enterprise environments.
The flaw resides in the Updates Environment Management component of PeopleSoft PeopleTools and can be exploited remotely over HTTP. It does not require authentication or user interaction, making it particularly dangerous for internet-facing systems. Oracle confirmed that successful exploitation could allow attackers to execute arbitrary code, potentially leading to full system compromise.
Security researchers from TrendAI Zero Day Initiative, including Bobby Gould, Lucas Miller, and Minh Giang, were credited with discovering and reporting the vulnerability. Their findings indicate that the attack complexity is low, which increases the likelihood of active exploitation attempts in the wild.
The vulnerability impacts PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Oracle also warned that earlier or unsupported versions may be affected, even though they have not been formally tested. Since patches are only released for supported versions under Premier or Extended Support, organizations running outdated systems face additional risk if they do not upgrade.
From a technical standpoint, the vulnerability allows network-based attacks without requiring any privileges. It affects confidentiality, integrity, and availability at a high level, meaning attackers could access sensitive data, modify system configurations, or disrupt services entirely. In a real-world scenario, a publicly exposed PeopleSoft instance could be compromised to deploy malicious payloads or facilitate lateral movement within a corporate network.
Oracle has released patches and mitigation guidance as part of the Security Alert and strongly recommends immediate action. Organizations should prioritize applying the available updates, restrict external access to PeopleSoft environments, and monitor systems for suspicious activity. Maintaining systems on supported versions is also critical to ensure continued access to security updates.
This issue underscores the ongoing threat posed by unauthenticated RCE vulnerabilities in widely deployed enterprise software. Given PeopleSoft’s role in managing critical business operations such as HR and finance, exploitation of this flaw could have significant operational and data security consequences. Organizations are advised to treat CVE-2026-35273 as a high-priority risk and take swift steps to secure their infrastructure.
Mandiant CTO Charles Carmakal has now confirmed active exploitation of CVE-2026-35273 in the wild, corroborating Oracle's out-of-band alert. The vulnerability, a remotely exploitable unauthenticated RCE in PeopleTools 8.61 and 8.62, is being leveraged by the ShinyHunters extortion group, which claims to have breached over 100 organizations—primarily educational institutions—using a gadget chain of old and zero-day flaws. A threat researcher also discovered exposed directories containing attack tools and a shell script designed to spread defacement markers across PeopleSoft infrastructure, indicating deep familiarity with the platform.
The SecurityWeek report adds that the ShinyHunters group claimed to have targeted 300 PeopleSoft instances across more than 100 organizations, chaining old and zero-day exploits to steal data. The education sector was hit hardest, with the University of Nottingham confirming a significant data breach. Mandiant CTO Charles Carmakal has warned about the zero-day exploitation, though Oracle has not officially confirmed in-the-wild attacks.