CISA KEV: Oracle PeopleSoft CVE-2026-35273 Actively Exploited by ShinyHunters — 100+ Organisations Breached, Federal Patch Deadline June 15

Oracle PeopleSoft PeopleTools contains a missing authentication vulnerability (CVSS 9.8) that allows unauthenticated remote attackers to take full control of PeopleSoft instances via HTTP. CISA added this to the Known Exploited Vulnerabilities catalog on June 12, 2026 with a federal remediation deadline of June 15. ShinyHunters (tracked as UNC6240 by Mandiant) exploited this as a zero-day between May 27 and June 9, 2026, compromising 300+ PeopleSoft instances across 100+ organisations — 68% in higher education. University of Nottingham confirmed 454,600 student records stolen. Oracle issued an out-of-band advisory on June 10; patches are expected imminently.

Unauthenticated HTTP request to PeopleSoft's Environment Management component. ShinyHunters developed automated 'gadget chain' tooling combining CVE-2026-35273 with previously known vulnerabilities, enabling scale exploitation. Lateral movement scripts attempt authentication with default PeopleSoft accounts (psoft, oracle, linuxadm).

Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 (and potentially earlier unsupported versions). Used globally for HR, payroll, student records, and financial aid management across enterprises, universities, and government agencies.

Apply Oracle's out-of-band mitigations immediately per oracle.com/security-alerts/alert-cve-2026-35273.html. Federal agencies must comply by June 15 per CISA BOD 26-04. Check IOC list (IP addresses linked to azurenetfiles[.]net TLS certificate) against network logs. Restrict PeopleSoft's Environment Management component to internal network access pending full patch.