ShinyHunters Exploits Oracle PeopleSoft Zero-Day CVE-2026-35273: What to Do Now

ShinyHunters exploited a critical zero-day in Oracle PeopleSoft Enterprise PeopleTools, tracked as CVE-2026-35273, to compromise servers and steal data. Organizations running Oracle PeopleSoft PeopleTools 8.61 or 8.62, or any unsupported earlier version, are at risk of active exploitation by ShinyHunters, a data extortion group now using this vulnerability for initial access.

The vulnerability allows an unauthenticated attacker to execute code on a PeopleSoft server with only network access to its HTTP service, and Oracle disclosed it only after the campaign was already underway.

ShinyHunters has historically relied on social engineering rather than software exploits. They use voice phishing against help desk staff and employees, then abuse single sign-on and OAuth to reach data held in SaaS platforms such as Salesforce and Microsoft 365. In the PeopleSoft campaign, they exploited the vulnerability instead, then moved laterally to other servers within the PeopleSoft deployment. As in their other operations, they exfiltrated sensitive data and threatened to leak it unless the victim paid.

Mitigation and Investigation

Oracle issued an out-of-band fix for CVE-2026-35273 on June 10, 2026, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog two days later. While the flaw affects PeopleTools 8.61 and 8.62, earlier unsupported versions are likely vulnerable as well. Organizations running an affected version should not wait for a routine patch cycle:

• Apply the patch: It is available through My Oracle Support (Patch Availability Document CPU187) and in the June 2026 Critical Security Patch Update.

• Upgrade unsupported versions: No patch exists for releases earlier than 8.61, so organizations running them should upgrade to a supported version to remediate.

• Disable the Environment Management Hub: In multi-server configurations, disable the EMHub service; in single-server configurations, remove the PSEMHUB application, following Oracle's guidance. If neither is possible, block external access to the /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints at the perimeter, since these are the paths the attack chain targets.

• Investigate for prior compromise: Examine previously exposed PeopleSoft servers for signs of intrusion, including attempts to reach other servers in the PeopleSoft environment.

• Hunt for the attacker's marker file: Search the PeopleSoft web and application server directories for a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT. Its presence is a clear sign that the attack succeeded on that host.

• Monitor for outbound SMB traffic: Watch for outbound SMB connections on TCP port 445 from PeopleSoft servers to external destinations. The exploit chain may use these to capture machine-account NetNTLM hashes, making the traffic an early indicator of exploitation.

• Rotate exposed credentials: The intrusion spread by spraying a list of common administrative and application credentials over SSH to other PeopleSoft hosts, and the attacker read the application server configuration file, psappsrv.cfg, which stores credentials.

MOXFIVE has responded to multiple ShinyHunters intrusions and recently published a report “ShinyHunters Recovery Playbook: What to Do in the First 48 Hours“ covering how to contain and remediate these compromises before the situation escalates. If your organization ran an exposed PeopleSoft instance during the exploitation window, don’t wait for symptoms to appear.

PeopleSoft holds the payroll, financial, and personal records of an entire organization, which is exactly the data the group seeks. Exploitation predated the patch, so any organization that ran an exposed instance during that window may already be compromised, even after applying the fix.

‍