On June 10, 2026, Oracle published an emergency security advisory regarding a critical zero-day vulnerability, 'CVE-2026-35273,' in the PeopleTools component of its enterprise resource planning (ERP) system, PeopleSoft, which allows unauthenticated remote code execution (RCE). Rated with a CVSS score of 9.8 (Critical), this vulnerability has already been exploited in zero-day attacks by cybercrime groups, targeting numerous organizations. Over 100 organizations, primarily educational institutions, have been compromised, with evidence of sensitive data theft and leaks.
Vulnerability Overview and Scope of Impact
'CVE-2026-35273' is a vulnerability stemming from a missing authentication check in the 'Updates Environment Management' component of Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated attacker with HTTP access over the network can exploit this vulnerability to gain complete control over PeopleSoft Enterprise PeopleTools without special credentials. This results in a 'High' impact on the confidentiality, integrity, and availability of the system, potentially leading to severe damage such as data alteration, destruction, system downtime, and sensitive information theft. Affected versions are PeopleTools 8.61 and 8.62.
Specific Impacts and Attack Scenarios
According to investigations by Mandiant and the Google Threat Intelligence Group, the cybercrime group 'ShinyHunters' conducted zero-day attacks exploiting this vulnerability between May 27 and June 9, 2026. Attackers established remote control environments using fake domains mimicking legitimate services and administrative tools, then explored internal systems and executed scripts for widespread lateral movement. Tactics observed include writing ransom notes to public directories on compromised servers and exfiltrating collected databases and log files. Higher education institutions accounted for 68% of the victim organizations, with academic systems, which concentrate large amounts of personal information, being particularly targeted. CISA has also added this vulnerability to its 'Known Exploited Vulnerabilities Catalog,' mandating prompt action by federal agencies.
Immediate Actions for Engineers
For this high-severity vulnerability, implement the following countermeasures immediately:
1. **Apply Official Patches**: Immediately apply the security patch provided by Oracle (Patch Availability Document ID: CPU187). Ensure you are using supported versions (8.61 and 8.62); if you are using older versions, consider upgrading.
2. **Strengthen Network Access Control**: Prohibit direct internet access to PeopleSoft administrative components and completely block external access. This is a critical temporary mitigation measure. Implement firewalls and WAFs (Web Application Firewalls) to allow access only from specific trusted IP addresses and configure strict access restrictions.
```nginx
# PeopleSoft管理コンポーネントへのアクセス制限例 (Nginx)
location /PSP/peoplesoft/ { # PeopleSoftの管理パスの例。環境に合わせて調整。
# 許可する管理用IPアドレス
allow 192.0.2.10/32; # 自社の管理用IPアドレスに置き換える
allow 203.0.113.20/32; # 必要に応じて追加
# それ以外のすべてのアクセスを拒否
deny all;
# バックエンドのPeopleSoftサーバーへのプロキシ設定
# proxy_pass http://your_peoplesoft_backend_server;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
}
# より広範な範囲で不正なリクエストをブロックする例
# (WAFで対応するのが理想ですが、Nginxでも基本的なフィルタリングは可能)
# map $request_uri $block_rce_attempts {
# "~*(; |%3B|%00|%0A|%0D|%20|%2F|\.\.)" 1;
# default 0;
# }
# if ($block_rce_attempts = 1) {
# return 403;
# }
```3. **Audit Access Logs**: Regularly audit access logs for your PeopleSoft environment to check for suspicious access patterns or abnormal operations. It is especially important to carefully monitor access history to administrative components.
4. **Detect Suspicious Files**: Utilize EDR (Endpoint Detection and Response) solutions and similar tools to monitor for the creation of unauthorized files or scripts within the system, and establish a framework for early detection and removal.
📦