Back to Intelligence

CVE-2026-35273: Defending Against Active Exploitation of Oracle PeopleSoft by ShinyHunters

SA
Security Arsenal Team
June 13, 2026
5 min read

Defenders, we have a confirmed active exploitation scenario that requires your immediate attention. Google has publicly confirmed that the threat actor ShinyHunters is exploiting a critical security flaw in Oracle PeopleSoft. While Oracle has released mitigations for CVE-2026-35273, the lack of initial public confirmation regarding its in-the-wild status has left many organizations exposed.

PeopleSoft environments are the crown jewels of enterprise operations—hosting HR, financial, and supply chain data. A successful breach here does not just result in data exfiltration; it threatens business continuity. This is not a drill; CVE-2026-35273 is being leveraged in the wild right now by a financially motivated actor.

Technical Analysis

Affected Product: Oracle PeopleSoft Enterprise (PeopleTools) CVE Identifier: CVE-2026-35273 Threat Actor: ShinyHunters

Google’s threat intelligence teams have observed ShinyHunters leveraging this vulnerability to target exposed PeopleSoft Internet Architecture (PIA) web instances. While Oracle has addressed the flaw with a security mitigation (likely a patch or significant configuration change), the technical details suggest that unpatched instances are vulnerable to remote code execution (RCE) via the web interface.

Attack Chain & Mechanism:

  1. Initial Access: The actor scans for exposed PeopleSoft PIA ports (typically TCP 80, 443, or custom ports).
  2. Exploitation: A specific vulnerability within the PeopleTools component is triggered, likely bypassing authentication or exploiting a deserialization flaw to achieve code execution.
  3. Execution: Upon successful exploitation, the web server process (often WebLogic or the proprietary PIA server) spawns a shell or executes commands.
  4. Objectives: ShinyHunters is known for data theft; expect attempts to dump the PeopleSoft database (PS tables) or move laterally to connected domain controllers.

Exploitation Status: Confirmed Active Exploitation (In-the-Wild).

Detection & Response

Defending against this requires a multi-layered approach. We need to catch the exploitation attempt at the web layer and, critically, detect the resultant anomalous process execution on the application server.

SIGMA Rules

YAML
---
title: Potential Exploitation of CVE-2026-35273 PeopleSoft RCE
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects suspicious process activity indicative of successful exploitation of Oracle PeopleSoft CVE-2026-35273. Focuses on the web server parent process spawning shells.
references:
 - https://www.securityweek.com/google-confirms-exploitation-of-oracle-peoplesoft-zero-day-by-shinyhunters/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1190
 - attack.execution
 - attack.t1059
logsource:
 category: process_creation
 product: windows
detection:
 selection_parent:
 ParentImage|contains:
   - '\weblogic\'
   - '\bea\'
   - '\psft\'
 selection_child:
 Image|endswith:
   - '\cmd.exe'
   - '\powershell.exe'
   - '\pwsh.exe'
 condition: all of them
falsepositives:
 - Legitimate administrative troubleshooting by WebLogic admins
level: high
---
title: ShinyHunters PeopleSoft Webshell Indicators
id: b0c1d2e3-f4a5-6b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects the creation of suspicious JSP or servlet files in PeopleSoft web directories, a common post-exploitation action for webshells.
references:
 - https://www.securityweek.com/google-confirms-exploitation-of-oracle-peoplesoft-zero-day-by-shinyhunters/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.persistence
 - attack.t1505.003
logsource:
 category: file_create
 product: windows
detection:
 selection:
 TargetFilename|contains:
   - '\psproj\'
   - '\ps_home\'
   - '\webserv\'
 TargetFilename|endswith:
   - '.jsp'
   - '.jsv'
 condition: selection
falsepositives:
 - Valid PeopleSoft customization or patch deployment
level: medium

KQL (Microsoft Sentinel / Defender)

Use this query to hunt for web server processes (often running as SYSTEM or a service account) spawning command shells, which is highly anomalous in standard PeopleSoft operations.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("java.exe", "cmd.exe", "weblogic.cmd") 
   or InitiatingProcessFolderPath contains @"\Oracle\Middleware" 
   or InitiatingProcessFolderPath contains @"\psft"
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "bash.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessFileName, ProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for recently modified JSP files within the PeopleSoft webserv directory, which could indicate a webshell drop associated with CVE-2026-35273.

VQL — Velociraptor
-- Hunt for recently created/modified JSP files in PeopleSoft directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/opt/oracle/psft/**/webserv/**/*.jsp')
WHERE Mtime > now() - 7d
   OR Size < 5kb

Remediation Script

This Bash script assists Linux-based PeopleSoft administrators in identifying potential webshells or artifacts dropped by ShinyHunters. Run this on your PeopleSoft application servers.

Bash / Shell
#!/bin/bash

# Audit script for CVE-2026-35273 Indicators of Compromise
# Targets: PeopleSoft Application Servers (Linux/Unix)

PEOPLESOFT_BASE="/opt/oracle/psft"
DAYS_TO_CHECK=7

echo "[*] Scanning for recently modified JSP/Servlet files in $PEOPLESOFT_BASE..."

find "$PEOPLESOFT_BASE" -path "*webserv*" -name "*.jsp" -mtime -$DAYS_TO_CHECK -ls

echo "[*] Checking for suspicious process forks by WebLogic/PeopleSoft users..."

# Identify PIDs for common PeopleSoft/WebLogic processes
PIDS=$(pgrep -f "weblogic.Server" | tr '\n' '|')

if [ -n "$PIDS" ]; then
    echo "[*] Monitoring for child processes of PIDs: ${PIDS%|}"
    # This is a snapshot; continuous monitoring requires EDR
    ps -ef | grep -E "($PIDS)" | grep -E "(sh|bash|perl|python|nc)" | grep -v grep
else
    echo "[-] No WebLogic processes found running."
fi

echo "[*] Audit complete. Review findings for unauthorized artifacts."

Remediation

  1. Apply Vendor Patches: Oracle has released mitigations for CVE-2026-35273. Review the Oracle Critical Patch Update (CPU) advisory or the specific security alert for PeopleTools. Apply the patch immediately to the PeopleTools version.
  2. Network Segmentation: Ensure your PeopleSoft PIA servers are not directly exposed to the public internet. Place them behind a WAF (Web Application Firewall) and enforce strict IP whitelisting for /psp/ and /psc/ endpoints.
  3. Compromise Assessment: If you cannot patch immediately, assume breach. Conduct a thorough review of logs for the IOCs mentioned above. Look for unauthorized administrative logins within the PeopleSoft application itself.
  4. Vendor Advisory: Reference the official Oracle Security Alert for CVE-2026-35273 for the specific patch version numbers relevant to your PeopleTools release (8.5x, 8.6x, etc.).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureoracle-peoplesoftcve-2026-35273shinyhunters

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action