{"id":20826,"date":"2026-06-24T02:32:11","date_gmt":"2026-06-24T02:32:11","guid":{"rendered":"https:\/\/sekuritasit.com\/index.php\/2026\/06\/24\/oracle-peoplesoft-zero-day\/"},"modified":"2026-06-24T02:32:11","modified_gmt":"2026-06-24T02:32:11","slug":"oracle-peoplesoft-zero-day","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2026\/06\/24\/oracle-peoplesoft-zero-day\/","title":{"rendered":"Oracle PeopleSoft Zero-Day"},"content":{"rendered":"\n\n\n\n <\/colgroup>\n\n\n\n\n
\n

\n What is the Attack?\n <\/p>\n<\/td>\n

\n

\n Google Threat Intelligence Group (GTIG) and Mandiant have identified an active compromise and extortion campaign attributed to ShinyHunters (tracked as UNC6240) targeting Oracle PeopleSoft environments. The attackers exploited a previously unknown remote code execution vulnerability, CVE-2026-35273, before Oracle released an advisory and patches, making this a true zero-day attack. The campaign primarily targeted higher education institutions, with approximately 68% of identified victims belonging to the education sector.<\/p>\n

Organizations running internet-accessible Oracle PeopleSoft Environment Management components are at highest risk. Successful exploitation enables unauthenticated remote code execution, deployment of remote management tooling, data theft, and extortion activities.<\/p>\n

An attacker who successfully exploits CVE-2026-35273 can:
\n
\n \u2022 Execute arbitrary code on vulnerable Oracle PeopleSoft servers.
\n
\n \u2022 Establish persistent remote access using legitimate administration tools.
\n
\n \u2022 Conduct reconnaissance of enterprise infrastructure and configurations.
\n
\n \u2022 Move laterally within the environment.
\n
\n \u2022 Steal sensitive employee, student, financial, and operational data.
\n
\n \u2022 Conduct extortion or ransomware-style operations using stolen data.\n <\/p>\n<\/td>\n<\/tr>\n

\n

\n What is the recommended Mitigation?\n <\/p>\n<\/td>\n

\n

\n Potentially exposed systems include:
\n
\n Internet-facing Oracle PeopleSoft deployments.<\/p>\n

\u2022 Immediately apply Oracle’s security updates for CVE-2026-35273.
\n
\n \u2022 Restrict external access to PeopleSoft Environment Management services.
\n
\n \u2022 Review logs for suspicious activity between May 27 and June 9, 2026.
\n
\n \u2022 Hunt for unauthorized MeshCentral agents and remote management tools.
\n
\n \u2022 Monitor for unusual administrative activity, data access, and large outbound transfers.
\n
\n \u2022 Conduct compromise assessments on exposed PeopleSoft systems.\n <\/p>\n<\/td>\n<\/tr>\n

\n

\n What FortiGuard Coverage is available?\n <\/p>\n<\/td>\n

\n

\n \u2022 FortiGuard IPS: Detects and blocks exploitation attempts targeting Oracle PeopleSoft vulnerabilities.
\n
\n \u2022 FortiGuard Web Filtering: Blocks access to known malicious infrastructure and command-and-control domains.
\n
\n \u2022 FortiGuard AntiVirus and Behavior-Based Detection: Detects Mesh-Central-based payloads and malicious post-exploitation activity.
\n
\n \u2022 FortiEDR and FortiXDR: Identify suspicious remote administration activity, persistence mechanisms, and lateral movement behavior.
\n
\n \u2022 FortiSIEM and FortiAnalyzer: Provide visibility into exploitation attempts and post-compromise activity across the environment.\n <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Read More<\/a>\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

What is the Attack? Google Threat Intelligence Group (GTIG) and Mandiant have identified an active compromise and extortion campaign attributed to ShinyHunters (tracked as UNC6240) targeting Oracle PeopleSoft environments. The attackers exploited a previously unknown remote code execution vulnerability, CVE-2026-35273, before Oracle released an advisory and patches, making this a true zero-day attack. The campaign […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-20826","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t