ORACLE has issued an out‑of‑band advisory for a critical remote code execution vulnerability affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, tracked as CVE-2026-35273. The flaw allows unauthenticated attackers to execute arbitrary code via HTTP requests, prompting immediate action from administrators worldwide. Oracle's advisory contains the patch details and mitigation guidance.
The vulnerability carries a CVSS score of 9.8, reflecting its potential to grant full control of an affected system without requiring any privileges. Exploitation relies on a deserialization flaw within the PeopleSoft Pure Internet Architecture listener, where a specially crafted request can trigger the execution of native commands on the underlying server. Successful abuse enables attackers to modify databases, install backdoors or pivot further into the internal network.
SecurityWeek researchers observed the ShinyHunters group leveraging this vector in the wild, noting that the attackers used obfuscated HTTP posts to bypass authentication checks and deliver malicious payloads. The campaign focused on organisations running exposed PeopleSoft instances, with the University of Nottingham cited as a confirmed victim that suffered a significant data breach after the intrusion. SecurityWeek's report provides further indicators of compromise for defenders to hunt.
SecurityOnline.info added that the same flaw was used to exfiltrate personal data and research information from the compromised university environment, highlighting the financial and reputational stakes involved. While Oracle has not publicly confirmed active exploitation, the urgency of the advisory reflects the risk posed by timely adversary activity. SecurityOnline.info's article outlines the timeline of events and recommends checking for abnormal outbound traffic from application servers.
Defenders should prioritize applying the out‑of‑band patch released in the advisory, then verify that the PeopleTools version has been updated to the corrected release. After patching, reviewing web server logs for unexpected POST or GET requests containing lengthy base64 strings or unusual XML payloads can help identify any attempted exploitation that occurred before the fix. Limiting direct internet access to the PeopleSoft web tier and enforcing strict network segmentation reduces the attack surface while the update is rolled out.
If immediate patching is not possible, organisations can temporarily disable external access to the PeopleSoft servlet container and place a web application firewall in front of the service with rules that block known attack patterns such as serialized Java objects in request bodies. Enforcing multi‑factor authentication on administrative accounts and monitoring for unexpected process spawns or outbound connections from the application server adds another layer of defence until the fix can be deployed safely.