← All articles

Oracle issues emergency PeopleSoft fix as exploited zero-day drives breaches

The ShinyHunters data-theft wave against Oracle PeopleSoft, covered yesterday, now has a confirmed root cause: a zero-day. Oracle has issued an out-of-band emergency mitigation for CVE-2026-35273, a critical flaw (rated 9.8) in PeopleSoft PeopleTools that lets an unauthenticated attacker run code on the server over HTTP, with no login required. Google's Mandiant says the bug was exploited from May 27 to June 9, before any advisory existed, and notified more than 100 affected organizations, 68 percent of them universities. The exposed component is the Environment Management Hub. Affected versions are PeopleTools 8.61 and 8.62; a full patch is still pending.

Check
Determine whether PeopleSoft PeopleTools 8.61 or 8.62 is in use and whether the Environment Management Hub is reachable externally, then review logs for the published attacker IPs and credential-spray activity.
Affected
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 with the Environment Management Hub exposed to untrusted networks (CVE-2026-35273); PeopleSoft Enterprise Applications customers may also be affected.
Fix
Apply Oracle's emergency mitigations from the June out-of-band alert immediately and restrict access to the Environment Management Hub, then watch for the full patch and assume compromise where exposed.