Here’s a number that should make every IT manager pause their morning coffee: 9.8 out of 10. That’s the CVSS score for CVE-2026-35273, a zero-day vulnerability in Oracle’s PeopleSoft that lets attackers waltz into enterprise systems without a password, without credentials, without so much as a knock on the door. And as of this writing — five days after Oracle’s emergency advisory — there is still no full patch.
.jpg){kind=link}
The ShinyHunters threat group — the same outfit behind some of the largest data extortion campaigns in recent years — has already breached roughly 300 PeopleSoft instances across more than 100 organizations. Universities, hospitals, government agencies: the list reads like a who’s-who of institutions you’d trust with your most sensitive data. The University of Nottingham confirmed approximately 40GB of stolen data, including student records, financial aid information, health data, and immigration details.
This isn’t just another CVE to add to the quarterly patch cycle. This is the kind of vulnerability that keeps security teams awake at night — and for good reason.
What Makes CVE-2026-35273 So Dangerous
The vulnerability sits in PeopleSoft’s Environment Management Hub (PSEMHUB), a component of PeopleTools versions 8.61 and 8.62. The root cause is deceptively simple: a missing authentication check (CWE-306) that allows unauthenticated remote code execution over plain HTTP. No credentials required. No user interaction. Just a network connection and the right exploit code.
Oracle’s advisory describes it with clinical restraint — “easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools” — but the reality on the ground is far messier. Mandiant’s CTO took the unusual step of issuing a public warning specifically confirming zero-day exploitation, a move the security community rarely sees outside of nation-state campaigns.
The Gadget Chain That Broke Everything
The technical mechanism is what researchers call a “gadget chain” — a technique that links multiple vulnerabilities together to achieve exploitation neither component could accomplish alone. ShinyHunters combined the newly discovered CVE-2026-35273 zero-day with older, previously-patched Oracle flaws to construct an attack chain that bypassed authentication entirely.
Here’s what the attack actually looked like on the wire. The attackers set up five consecutive staging servers (IPs 142.11.200.186 through .190), each running a Python SimpleHTTP server on port 8888 that exposed their command histories and pre-configured remote management agents. The MeshCentral agents were disguised as legitimate Azure services with filenames like meshagent64-azure-ops.exe, communicating with a C2 domain — azurenetfiles.net — designed to look like a Microsoft Azure NetApp Files endpoint. Clever social engineering wrapped around a devastating technical exploit.
From Entry to Exfiltration in Minutes
Once inside, the attack moved fast. The operators used meshctrl.js to inspect PeopleSoft configurations, audit active NFS mounts, and read WebLogic configuration files to map internal application servers. A propagation script — named [victim_abbreviation]_fanout.sh — performed SSH credential spraying against every host listed in /etc/hosts. Stolen data was compressed with zstd and exfiltrated via SSH to ShinyHunters’ data leak infrastructure.
The whole sequence — initial access, reconnaissance, lateral movement, data staging, and exfiltration — could execute in minutes once the initial foothold was established. Organizations with internet-facing PeopleSoft instances had almost no time to react.
Why Universities Became Ground Zero
Sixty-eight percent of the identified targets are in higher education. That’s not a coincidence. PeopleSoft is the dominant ERP platform across universities worldwide — it manages payroll, financial aid disbursement, student enrollment, academic records, and health services data. A single intrusion into a university’s PeopleSoft instance grants access to data that spans decades of student and staff history.
The education sector has also historically lagged behind enterprise in cybersecurity investment. Universities run lean IT teams, stretched across sprawling campuses with decentralized technology procurement. When Oracle’s quarterly Critical Patch Updates drop, applying them to a production PeopleSoft instance requires downtime windows that competing institutional priorities frequently override. The ShinyHunters campaign exploited that gap — hitting systems that were technically supported but operationally unpatched.
Oracle’s Response: Mitigations Without a Patch
Oracle’s out-of-band advisory on June 10 offered mitigations — configuration changes and compensating controls — but stopped short of delivering a full software patch. The advisory also notably declined to confirm active in-the-wild exploitation, even as Mandiant and independent researchers were publicly characterizing the campaign as an active zero-day exploitation chain.
This puts administrators in an uncomfortable position. Applying configuration-based mitigations requires technical understanding of PeopleSoft internals that not every IT team possesses. A misconfigured mitigation can break functionality without actually closing the vulnerability. And for organizations running PeopleSoft instances outside of Oracle’s Premier or Extended Support windows — which is more common than Oracle would like to admit — there may never be a patch at all.
This pattern of advisory-without-patch has drawn criticism before. As I wrote when Microsoft patched 206 flaws in a single month, the volume of vulnerabilities is outpacing the patching capacity of most organizations. When a vendor adds configuration complexity on top of an unpatched critical flaw, the math gets even worse for defenders.
The Bigger Picture: Enterprise Software as a Battleground
CVE-2026-35273 doesn’t exist in isolation. It’s the latest in a string of attacks targeting enterprise platforms that form the invisible backbone of institutional infrastructure. The Cl0p ransomware group — also confirmed to be exploiting this vulnerability — has built its entire business model around weaponizing zero-days in enterprise software. MOVEit, Accellion, SolarWinds, and now PeopleSoft: the playbook is consistent, and it works.
The economics favor attackers. A single zero-day in widely-deployed enterprise software can yield hundreds of victims, each facing the dual pressure of operational disruption and regulatory breach notification. The IronWorm npm supply chain attack demonstrated how a single compromised package can ripple through thousands of downstream projects. With PeopleSoft, the blast radius is even wider — these aren’t development dependencies; they’re production systems holding live PII.
There’s also a geopolitical dimension worth noting. While ShinyHunters is primarily a financially motivated group, the data they’re exfiltrating — university research, government employee records, healthcare information — has downstream value to nation-state actors. North Korean state-sponsored hackers have demonstrated sophisticated capabilities against US targets, and the line between criminal and state-sponsored campaigns grows blurrier every year.
What Filipino Organizations Should Do Right Now
If your organization runs PeopleSoft — and many Philippine universities, government agencies, and large enterprises do — here’s what needs to happen today:
First, check your version. If you’re on PeopleTools 8.61 or 8.62, you’re vulnerable. Period. The CVSS 9.8 score means this is as bad as it gets — full system compromise with no authentication required.
Second, apply Oracle’s mitigations immediately. Even though it’s not a patch, the configuration changes in Oracle’s advisory will reduce your attack surface. Don’t wait for a full patch to ship — ShinyHunters and Cl0p are actively scanning for exposed instances right now.
Third, monitor for the indicators. Outbound SSH connections to IP 176.120.22.24, the domain azurenetfiles.net, and the presence of files named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in your PeopleSoft directories. Check /tmp for scripts matching *_fanout.sh.
Fourth, isolate internet-facing instances. If your PeopleSoft environment doesn’t absolutely need to be accessible from the public internet, take it offline until a full patch is available. The attack surface reduction alone is worth the temporary inconvenience.
The frustration here is real. Oracle’s approach — emergency advisory without a full patch — asks organizations to absorb risk that should sit with the vendor. When you pay enterprise licensing fees, you expect enterprise-grade responsiveness. What you’re getting instead is a five-day-old advisory and a promise that a patch is “under development.”
The Bottom Line
CVE-2026-35273 is a reminder that the software running our institutions is only as secure as the vendors’ willingness to fix it quickly. A 9.8-severity vulnerability that’s been actively exploited for nearly a week deserves more than mitigations and a “patch coming soon” note. It deserves a fix, shipped with the same urgency that attackers are bringing to their exploitation campaigns.
In the meantime, the burden falls on defenders — as it always does. Check your PeopleSoft versions tonight. Apply the mitigations. Monitor for the IOCs. And if your organization runs unsupported PeopleSoft instances, this might be the wake-up call you’ve been putting off.
The attackers aren’t waiting. Neither should you.