Top stories
Oracle PeopleSoft CVE-2026-35273 zero-day actively exploited; CISA KEV
- Category: Security
- Status: confirmed
- Sources: Rapid7, SecurityWeek (ShinyHunters), CISA KEV catalog
- Summary: CVE-2026-35273 (CVSS 9.8) is an unauthenticated server-side request forgery leading to remote code execution in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. It was exploited as a zero-day between 2026-05-27 and 2026-06-09, two weeks before Oracle's 2026-06-10 out-of-band advisory; Google attributes exploitation to ShinyHunters. PeopleTools 8.61 and 8.62 are affected. CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-12 (confirmed in the KEV feed) and ordered federal agencies to patch.
- Why it matters: Internet-exposed PeopleSoft handles HR and financial data, and unauthenticated RCE under active extortion-group use makes unpatched instances an immediate breach risk.
- Follow-up: Watch for confirmed data-theft victims, ransomware follow-on, and the federal remediation deadline.