Back to Intelligence

CVE-2026-35273: Oracle PeopleSoft Exploited by ShinyHunter — Detection and Mitigation

SA
Security Arsenal Team
June 11, 2026
5 min read

Active exploitation of CVE-2026-35273 in Oracle PeopleSoft allows unauthenticated code execution. Immediate mitigation and detection are required.

Introduction

Security teams managing Oracle PeopleSoft environments are facing a critical threat. Oracle has released a warning regarding a critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-35273. This flaw is not theoretical; it is currently being exploited in the wild by the threat actor group ShinyHunter as part of coordinated data theft operations.

For organizations relying on PeopleSoft for HR, Finance, or Supply Chain management, this represents a severe risk of data exfiltration and ransomware deployment. Because the vulnerability allows unauthenticated execution, attackers do not require valid credentials to gain initial access. This blog provides a technical breakdown of the threat and actionable detection and remediation guidance.

Technical Analysis

Vulnerability Details:

  • CVE ID: CVE-2026-35273
  • Affected Product: Oracle PeopleSoft Suite
  • Vulnerability Type: Unauthenticated Remote Code Execution (RCE)
  • Threat Actor: ShinyHunter (known for database theft and extortion)

Mechanism of Exploitation: The vulnerability exists within a specific component of the PeopleSoft web interface. Due to a flaw in input validation or deserialization, an attacker can send a specially crafted HTTP request to a vulnerable endpoint. This request triggers the application server to execute arbitrary code under the context of the application service account (typically psadm2 or SYSTEM on Windows).

Attack Chain:

  1. Initial Access: Attacker sends HTTP POST/GET requests to the PeopleSoft PIA (PeopleSoft Internet Architecture) web server, targeting the vulnerable component.
  2. Execution: The server executes the attacker's payload (often a webshell or reverse shell).
  3. Objective: ShinyHunter utilizes this access to query the underlying database (often Oracle DB or SQL Server) to siphon sensitive PII, financial records, or credentials.

Exploitation Status: Oracle has confirmed active exploitation. While patches or mitigations are being released, the window of exposure is open for organizations that have not applied the latest vendor security alerts.

Detection & Response

Given the active exploitation by ShinyHunter, detection must focus on identifying the initial webshell upload, the unusual process spawning associated with the exploit, and subsequent data exfiltration traffic.

SIGMA Rules

YAML
---
title: Potential PeopleSoft CVE-2026-35273 Exploitation - WebShell Creation
id: 8a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects potential webshell file creation in PeopleSoft web directories by the Java process.
references:
  - https://www.oracle.com/security-alerts/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: file_creation
  product: windows
detection:
  selection:
    Image|endswith: '\java.exe'
    TargetFilename|contains:
      - '\webserv\'
      - '\peoplesoft\'
      - '\servlets\'
    TargetFilename|endswith:
      - '.jsp'
      - '.jsa'
      - '.exe'
  condition: selection
falsepositives:
  - Legitimate PeopleSoft administrator deployments
level: high
---
title: Unusual Process Spawn by PeopleSoft Application Server
id: 9b2c3d4e-5f6a-7890-1b2c-3d4e5f67890a
status: experimental
description: Detects shell processes spawned by PeopleSoft Java/Tuxedo processes, indicative of RCE.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\java.exe'
      - '\psadmin.exe'
      - '\jboot.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative troubleshooting
level: critical

KQL (Microsoft Sentinel / Defender)

Hunt for suspicious process lineage originating from the PeopleStack application server context.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName in~ ("java.exe", "psadmin.exe", "jboot.exe")
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

Hunt for processes where the parent is a PeopleSoft related service, indicating potential code execution.

VQL — Velociraptor
-- Hunt for suspicious parent-child process relationships indicative of RCE
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Parent.Name =~ "java" 
   AND (Name =~ "cmd" OR Name =~ "powershell" OR Name =~ "bash" OR Name =~ "sh")

Remediation Script (Bash)

This script assists Linux-based PeopleSoft administrators in checking for common webshell artifacts and recent file modifications in the web directories. It is a temporary measure until the official Oracle patch is fully applied.

Bash / Shell
#!/bin/bash

# PeopleSoft Compromise Assessment Script for CVE-2026-35273
# Usage: sudo ./check_psoft_integrity.sh

PS_HOME=${PS_HOME:-"/opt/oracle/psft"}
LOG_FILE="/var/log/psoft_audit_$(date +%Y%m%d_%H%M%S).log"

echo "[*] Starting PeopleSoft Integrity Check for CVE-2026-35273" | tee -a "$LOG_FILE"
echo "[*] Scanning $PS_HOME for recently modified files (last 24h)..." | tee -a "$LOG_FILE"

# Find files modified in the last 24 hours in web directories
find "$PS_HOME"/webserv -type f -mtime -1 -ls >> "$LOG_FILE" 2>/dev/null

# Check for common webshell keywords in JSP/GIF files
echo "[*] Scanning for common webshell patterns in web directories..." | tee -a "$LOG_FILE"
grep -Rl -i "Runtime\.getRuntime" "$PS_HOME"/webserv 2>/dev/null >> "$LOG_FILE"
grep -Rl -i "ProcessBuilder" "$PS_HOME"/webserv 2>/dev/null >> "$LOG_FILE"
grep -Rl -i "eval.*base64" "$PS_HOME"/webserv 2>/dev/null >> "$LOG_FILE"

echo "[+] Audit complete. Results saved to $LOG_FILE"

# Check for active network connections from Java to non-standard ports (simple check)
echo "[*] Checking for established outbound connections from Java..."
netstat -antp 2>/dev/null | grep "ESTABLISHED" | grep "java" >> "$LOG_FILE"

Remediation

  1. Apply Vendor Mitigations Immediately: Review the latest Oracle Security Alert for CVE-2026-35273. Oracle has provided mitigations (likely involving specific configuration changes or blocking rules) that should be applied immediately if a full patch is not yet available.
  2. Patch Management: Apply the official patch released by Oracle as soon as it is available in your environment. Test rigorously in non-production first.
  3. Network Segmentation: Ensure PeopleSoft application servers are not directly accessible from the internet. Place them behind a WAF (Web Application Firewall) and enforce strict IP allow-listing for administration interfaces.
  4. Credential Reset: If exploitation is suspected, reset credentials for the service accounts associated with PeopleSoft (e.g., database connection strings, admin IDs) and rotate any API keys stored within the application.
  5. Hunt for ShinyHunter: Assume that if the vulnerability was exposed, data may have been accessed. Conduct a thorough forensic review of database logs and access logs around the time of the exploitation to identify data exfiltration.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemoracle-peoplesoftcve-2026-35273shinyhunter

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action