Full Report
A vulnerability has been discovered in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools that could allow an attacker with network access via HTTP to completely takeover the software. PeopleSoft is an integrated enterprise resource planning (ERP) software suite widely used by large organizations for managing core business functions, including HR, payroll, finance, supply chain, and campus operations. Successful exploitation of this vulnerability can result in remote code execution, potentially leading to full system compromise.
Analysis Summary
# Vulnerability: Remote Code Execution in Oracle PeopleSoft PeopleTools
## CVE Details
- **CVE ID**: CVE-2026-35273
- **CVSS Score**: 10.0 (Critical - estimated based on "complete takeover" and "unauthenticated RCE" description)
- **CWE**: Not explicitly listed (Typically associated with CWE-94 or CWE-78)
## Affected Systems
- **Products**: Oracle PeopleSoft Enterprise PeopleTools
- **Versions**: 8.61 through 8.62
- **Configurations**: Systems with the **Updates Environment Management** component accessible via HTTP/HTTPS.
## Vulnerability Description
A critical security flaw exists in the Updates Environment Management component of PeopleSoft PeopleTools. The vulnerability allows an unauthenticated remote attacker to send specially crafted HTTP requests to the server. Due to a lack of proper input validation or authorization checks in this specific component, the attacker can execute arbitrary code on the underlying operating system. Because this component is often used for managing environmental updates, it frequently possesses elevated privileges, leading to a total system compromise.
## Exploitation
- **Status**: **Exploited in the wild**. Threat intelligence indicates the "ShinyHunters" extortion gang is actively targeting PeopleSoft servers for data theft.
- **Complexity**: Low (No authentication or user interaction required).
- **Attack Vector**: Network (HTTP/HTTPS).
## Impact
- **Confidentiality**: High (Full data access/theft reported).
- **Integrity**: High (Complete software takeover).
- **Availability**: High (Total system compromise).
## Remediation
### Patches
- Oracle has issued security updates to address this flaw. Administrators should log into the Oracle Support portal to retrieve the latest patches for PeopleTools versions 8.61 and 8.62.
- It is recommended to apply updates via automated patch management (M1051) after brief environment testing.
### Workarounds
- **Network Segmentation**: Restrict access to the PeopleSoft HTTP/HTTPS ports to known, trusted internal IP addresses only.
- **Disable Component**: If the "Updates Environment Management" component is not required for daily production operations, disable or block access to its specific URIs at the Web Application Firewall (WAF) or Reverse Proxy level.
## Detection
- **Indicators of Compromise**: Monitor for unusual outbound network traffic from PeopleSoft application servers, particularly to unknown external IP addresses (potential data exfiltration).
- **Detection Methods**:
- Review HTTP access logs for suspicious requests hitting the Updates Environment Management endpoints.
- Employ EDR/AV to detect unauthorized shell execution (e.g., `cmd.exe` or `/bin/sh` spawned by the web server process).
- Perform authenticated vulnerability scans using SCAP-compliant tools.
## References
- BleepingComputer: hxxps://www[.]bleepingcomputer[.]com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/
- CVE Record: hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-35273
- Oracle Security Alert: hxxps://www[.]oracle[.]com/security-alerts/alert-cve-2026-35273[.]html