Oracle PeopleSoft Zero-Day

What is the Attack?

Google Threat Intelligence Group (GTIG) and Mandiant have identified an active compromise and extortion campaign attributed to ShinyHunters (tracked as UNC6240) targeting Oracle PeopleSoft environments. The attackers exploited a previously unknown remote code execution vulnerability, CVE-2026-35273, before Oracle released an advisory and patches, making this a true zero-day attack. The campaign primarily targeted higher education institutions, with approximately 68% of identified victims belonging to the education sector.

Organizations running internet-accessible Oracle PeopleSoft Environment Management components are at highest risk. Successful exploitation enables unauthenticated remote code execution, deployment of remote management tooling, data theft, and extortion activities.

An attacker who successfully exploits CVE-2026-35273 can:

• Execute arbitrary code on vulnerable Oracle PeopleSoft servers.

• Establish persistent remote access using legitimate administration tools.

• Conduct reconnaissance of enterprise infrastructure and configurations.

• Move laterally within the environment.

• Steal sensitive employee, student, financial, and operational data.

• Conduct extortion or ransomware-style operations using stolen data.

What is the recommended Mitigation?

Potentially exposed systems include:

Internet-facing Oracle PeopleSoft deployments.

• Immediately apply Oracle’s security updates for CVE-2026-35273.

• Restrict external access to PeopleSoft Environment Management services.

• Review logs for suspicious activity between May 27 and June 9, 2026.

• Hunt for unauthorized MeshCentral agents and remote management tools.

• Monitor for unusual administrative activity, data access, and large outbound transfers.

• Conduct compromise assessments on exposed PeopleSoft systems.

What FortiGuard Coverage is available?

• FortiGuard IPS: Detects and blocks exploitation attempts targeting Oracle PeopleSoft vulnerabilities.

• FortiGuard Web Filtering: Blocks access to known malicious infrastructure and command-and-control domains.

• FortiGuard AntiVirus and Behavior-Based Detection: Detects Mesh-Central-based payloads and malicious post-exploitation activity.

• FortiEDR and FortiXDR: Identify suspicious remote administration activity, persistence mechanisms, and lateral movement behavior.

• FortiSIEM and FortiAnalyzer: Provide visibility into exploitation attempts and post-compromise activity across the environment.

Read More 

Posted

in

by

admin

Tags: