- CVE-2026-35273, a CVSS 9.8 critical flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62, enabled unauthenticated remote code execution and was exploited as a zero-day for 14 days before Oracle's June 10, 2026 advisory.
- ShinyHunters (UNC6240) claimed to have targeted approximately 300 PeopleSoft instances across 100+ organizations — 68% of which were higher education institutions, primarily U.S. universities and colleges.
- As of June 12, 2026, CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog under Binding Operational Directive 26-04, with a federal agency remediation deadline of June 15, 2026.
- Patching alone is insufficient — organizations must also investigate for compromise indicators dating back to May 27, 2026, when active exploitation first began.
The Threat: CVE-2026-35273, UNC6240, and Fourteen Days Without a Defense
Picture your university's security operations desk on the morning of May 27, 2026. Nothing unusual is queued. A patch for Oracle PeopleSoft is not on the radar because Oracle has not issued one — or even acknowledged the flaw that ShinyHunters is already exploiting. That gap lasted fourteen days. Reporting by CyberSecurityNews, surfaced by Google News on June 17, 2026, details how Google's Mandiant unit tracked active zero-day exploitation of CVE-2026-35273 from May 27 through June 9, 2026 — two weeks before Oracle's own security advisory reached the public on June 10.
The vulnerability carries a CVSS v3.1 score of 9.8 out of 10, placing it at the extreme end of Oracle's severity classifications. It affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 and enables unauthenticated remote code execution — meaning an attacker can seize full system control without a single valid credential. Attack infrastructure tied to the campaign included five IP addresses (142.11.200.186 through 142.11.200.190) and a command-and-control domain, azurenetfiles[.]net, engineered to impersonate legitimate Microsoft Azure cloud endpoints. That masquerade is the detail that separates a disciplined threat actor from commodity scanning tools.
The threat actor is ShinyHunters, tracked by Mandiant as UNC6240. Mandiant researchers noted that "the attacker staging environments hosted customized MeshCentral agents masquerading as legitimate cloud endpoints" to execute administrative queries and deploy lateral movement scripts across compromised systems. ShinyHunters is not new to enterprise-scale breaches — a related cluster (UNC6040/UNC6395) compromised approximately 760 downstream Salesforce customer organizations in a 2025 voice-phishing campaign, including a Google corporate instance. The same group has now claimed to have targeted roughly 300 PeopleSoft instances across more than 100 organizations globally. Stolen data from confirmed victims — including the University of Nottingham, United Kingdom — was published to their Data Leak Site on June 9, 2026. This campaign reflects a tactical evolution: ShinyHunters appears to be shifting from traditional ransomware deployment toward pure data-theft extortion, which means no decryption key to negotiate for and no clean recovery path.
Blast Radius — The 68% Problem
As of June 17, 2026, 68% of the 100+ organizations identified as potential compromise targets were higher education institutions, primarily U.S.-based universities and colleges. That concentration is not accidental. PeopleSoft is the operational backbone of hundreds of campuses — managing student financial records, payroll, HR data, and enrollment inside a single integrated platform. One exploitation event exposes every sensitive data category the institution holds simultaneously.
Universities also carry structural exposure their corporate peers often do not: aging PeopleSoft deployments layered with years of custom configurations that complicate rapid patching, security teams sized for compliance rather than active threat detection, and internet-facing PeopleSoft instances that must serve a distributed student population. ShinyHunters appears to have mapped this calculus before launching. Claiming 300 targeted instances across a specific sector is not the output of opportunistic mass-scanning — it is disciplined victim profiling.
The broader ERP (Enterprise Resource Planning) attack surface has drawn sustained threat actor attention for years. The Cl0p ransomware group demonstrated the playbook with serial zero-day exploitation targeting enterprise platforms including MOVEit, Accellion, and SolarWinds. PeopleSoft's breach extends that pattern to a sector that has historically underestimated its own target value.
Chart: Elapsed days from first active exploitation (May 27) to key response milestones. The federal patch window was 3 days; the unchallenged zero-day window that preceded it was nearly five times longer.
Enterprise data protection strategies that treat ERP systems as back-office infrastructure rather than critical security perimeter are exactly what this campaign exploits. As coverage of Cohesity Maestro MCP's enterprise data protection integration highlighted recently, the attack surface for enterprise platforms extends well beyond patching — backup integrity, access governance, and lateral movement detection all matter once a threat actor is already inside the network.
The Defense Stack That Closes This Gap
Three layers need to work in coordination, and none of them is optional:
Technical control: Apply Oracle's patch for CVE-2026-35273 immediately. Oracle's June 10, 2026 advisory describes implementation of recommended mitigations as a "high-priority risk reduction measure" and calls for "immediate action." If a patch cycle cannot open quickly, compensating controls reduce blast radius: network segmentation isolating PeopleSoft from open internet paths, WAF (web application firewall) rules blocking unauthenticated request patterns to PeopleSoft web endpoints, and egress filtering that flags unexpected outbound connections from application servers — especially to anything that looks like a cloud service domain.
Process: The 14-day exploitation window that preceded Oracle's advisory is a threat intelligence failure as much as a vendor response gap. Organizations subscribed to Mandiant Advantage or comparable commercial threat intelligence services had early warning signals during that window. Rapid7's published assessment states that "organizations running affected versions should patch immediately without waiting for regular cycles" and recommends investigating for compromise indicators even after patching. Integrating threat intelligence into vulnerability management workflows — so that KEV catalog additions trigger immediate security awareness reviews rather than sitting in a remediation queue — is the process control that shortens this window for the next zero-day.
People: The attacker C2 domain was built to look like Azure infrastructure. That means network monitoring discipline that treats outbound traffic from ERP application servers as suspicious regardless of its cloud-shaped appearance is a genuine compensating control. Lateral movement from a compromised PeopleSoft server should never blend silently into the traffic baseline.
One Thing to Do Before End of Day
If your organization runs Oracle PeopleSoft PeopleTools 8.61 or 8.62, the most important action right now is not just patching — it is a retroactive compromise assessment. Pull network and DNS logs covering May 27, 2026 through the present and search for any connections to or from the five known attacker IP addresses (142.11.200.186 through 142.11.200.190) and any DNS resolution of azurenetfiles[.]net. If those indicators appear, escalate to your incident response team before assuming the patch resolves the situation. CISA's BOD 26-04 gave federal agencies a three-day window to remediate after the June 12, 2026 KEV addition. Private-sector organizations and universities carry no mandatory regulatory clock — which makes the internal discipline to act without a deadline the actual measure of security posture maturity.
In my analysis, the more significant signal from this campaign is not the 9.8 CVSS score — it is ShinyHunters' demonstrated capacity to profile 300 PeopleSoft instances by sector and exposure level before mass exploitation. That is disciplined data protection targeting, not opportunistic scanning. I would argue every organization running internet-facing ERP software should treat this incident as a prompt to audit their full external ERP attack surface, not just the PeopleSoft-specific patch window.
Frequently Asked Questions
What is CVE-2026-35273 and how does the Oracle PeopleSoft zero-day vulnerability actually work?
CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability — a security flaw that lets an attacker run arbitrary commands on a system without needing login credentials — in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. As of June 17, 2026, it carries a CVSS v3.1 score of 9.8 out of 10, the highest severity tier Oracle classifies. An attacker sends a specially crafted HTTP request to an exposed PeopleSoft web interface and achieves full system control. ShinyHunters exploited this flaw in the wild from May 27 through at least June 9, 2026, before Oracle published a security advisory on June 10, 2026.
How do I investigate whether my PeopleSoft system was already compromised before the patch was available?
Because exploitation began on May 27, 2026 — two weeks before any patch existed — Rapid7 recommends that organizations investigate for compromise indicators even after applying Oracle's fix. Review network and DNS logs for connections to or from IP addresses 142.11.200.186 through 142.11.200.190, and for DNS queries resolving azurenetfiles[.]net. Also look for anomalous process executions or unexpected administrative query activity on PeopleSoft application servers during the May 27 to present window. If indicators appear, engage your incident response team before treating patching alone as remediation complete.
Does the CISA BOD 26-04 remediation deadline for CVE-2026-35273 apply to private universities and businesses?
The Binding Operational Directive (BOD) 26-04 deadline of June 15, 2026 applies exclusively to U.S. federal government agencies. However, CISA's Known Exploited Vulnerabilities catalog — to which CVE-2026-35273 was added on June 12, 2026 — is an authoritative signal for all organizations that a vulnerability has confirmed, active exploitation in the wild. Oracle, Mandiant, and Rapid7 all recommend that any organization running affected Oracle PeopleSoft versions treat patching and compromise investigation as an immediate priority, regardless of whether a regulatory mandate applies to their sector.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs. Research based on publicly available sources current as of June 17, 2026.