THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools, identified as CVE-2026-35273 (CVSS score 9.8), to its Known Exploited Vulnerabilities (KEV) catalog. This flaw allows for remote code execution without requiring authentication. An active exploitation campaign by UNC6240 (ShinyHunters) from May 27 to June 9, 2026, targeted more than 100 organizations, primarily universities, before Oracle issued an advisory.
Organizations are advised to disable the Environment Management Hub service or block external access to related endpoints. The vulnerability was utilized in a zero-day attack that potentially compromised large amounts of sensitive data.