What is the Oracle PeopleSoft zero-day vulnerability (CVE-2026-35273)?

CVE-2026-35273 is a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component of Oracle PeopleSoft. It allows unauthenticated cybercriminals to completely take over affected servers via HTTP over the internet without needing a password.

How is the ShinyHunters group using the PeopleSoft exploit?

The ShinyHunters extortion gang actively exploited this zero-day starting in late May 2026 to compromise over 100 organizations. They use the flaw to gain administrative control, deploy custom scripts to move laterally across the network, and exfiltrate sensitive HR and financial data for extortion.

Why are Las Vegas businesses at risk from the Oracle PeopleSoft zero-day?

Oracle PeopleSoft is a massive enterprise platform heavily relied upon by core Las Vegas industries, including gaming, hospitality, higher education, healthcare, and government contractors. Even if your specific small business doesn't run PeopleSoft, a breach at one of your vendors or third-party payroll providers could expose your critical data.

Oracle PeopleSoft Zero-Day: Las Vegas Cybersecurity Alert

⚠ Cybersecurity Alert

Oracle PeopleSoft Zero-Day Is Hitting Las Vegas Businesses — CVE-2026-35273

ShinyHunters confirms active exploitation across 100+ organizations. Is your business exposed?

Published by CMIT Solutions of Las Vegas · Cybersecurity · 5 min read

What Las Vegas Businesses Need to Know Right Now

Last week, Oracle issued an emergency security advisory for CVE-2026-35273, a critical zero-day vulnerability in Oracle PeopleSoft PeopleTools carrying a CVSS score of 9.8 out of 10. The flaw enables unauthenticated remote code execution — meaning attackers can seize full control of an exposed system without a username or password. Within days of disclosure, cybersecurity firm Mandiant confirmed that threat actors had already breached more than 100 organizations and stolen data from over 300 PeopleSoft instances worldwide.

The group behind these attacks is ShinyHunters — one of the most prolific data extortion gangs active today. They’ve previously breached Ticketmaster, Snowflake-connected enterprises, and major educational platforms holding hundreds of millions of student records. Now they’ve turned their firepower on Oracle PeopleSoft, and any organization running an unpatched version is a live target.

⚡ Urgent — CVSS 9.8 Critical

ShinyHunters confirmed to BleepingComputer that they have stolen data from 300+ PeopleSoft instances belonging to over 100 organizations. Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 are confirmed vulnerable. Emergency mitigations are available now — a full patch is forthcoming. Do not wait for the patch to act.

Why Las Vegas and Clark County Businesses Are in the Crosshairs

You might be thinking: “We’re a small business — why would ShinyHunters target us?” The answer is in what Oracle PeopleSoft manages: HR data, payroll, finance records, student information, and patient databases. Across the Las Vegas Valley, Oracle PeopleSoft is embedded in universities like UNLV and the College of Southern Nevada, Clark County government operations, Valley Health and Sunrise Health System providers, and large hospitality companies managing thousands of employee records across the Strip and beyond.

Even if your company doesn’t run PeopleSoft directly, your vendors and partners might. A ShinyHunters breach at a third-party payroll processor, HR platform, or benefits administrator could expose your employees’ Social Security numbers, direct deposit accounts, and personal data — without any direct attack on your own network. Third-party risk is one of the fastest-growing attack surfaces for Las Vegas SMBs, and CVE-2026-35273 is exactly the kind of supply-chain entry point threat actors exploit to reach businesses they could never breach head-on.

How ShinyHunters Is Exploiting This Flaw: Technical Breakdown

Mandiant’s analysis of the live ShinyHunters campaign reveals a multi-stage attack chain that moves from initial exploitation to full data exfiltration in a matter of hours:

Vulnerable versions: Oracle PeopleSoft PeopleTools 8.61 and 8.62 — both widely deployed in enterprise and government environments
Attack vector: Unauthenticated HTTP requests targeting the /PSEMHUB/ and /PSIGW/HttpListeningConnector endpoints, reachable without any credentials
Attack chain: ShinyHunters used a “gadget chain” combining previously known PeopleSoft vulnerabilities with CVE-2026-35273 to achieve unauthenticated remote code execution in a single pass
Post-exploitation: WebShell files dropped in WebLogic application directories, lateral movement via stolen or hardcoded credentials, data compressed and exfiltrated to attacker-controlled servers
Evasion: Command-and-control infrastructure disguised as Microsoft Azure services to bypass conventional security detection
Indicators of compromise: Unexpected .jsp webshell files in WebLogic directories; unauthorized folders named persistantstorage, logs, or scratchpad; recently modified XML files on the server

What’s at Stake for Las Vegas Businesses

⚠ Stolen employee records — Social Security numbers, salaries, and direct deposit banking information
⚠ Exposure of customer PII triggering mandatory breach notification under Nevada NRS 603A (45-day clock)
⚠ Extortion demands from ShinyHunters with a credible public data-leak threat — this group has published stolen records before
⚠ Third-party payroll or HR vendor breach cascading into your employee and customer data
⚠ Operational shutdown while affected systems are isolated, forensically examined, and rebuilt
⚠ Regulatory fines for healthcare (HIPAA) and government contractor organizations (CMMC) that fail to disclose breaches within required windows

Three Actions Las Vegas Businesses Must Take This Week

1. Find Out Whether You — or Your Vendors — Run PeopleSoft

The Gap Most organizations don’t maintain a current inventory of enterprise applications, and vendor-managed PeopleSoft deployments often go untracked until a breach makes them visible.

The Fix Audit your software stack immediately. Ask your IT team or managed services provider whether Oracle PeopleSoft PeopleTools is deployed anywhere in your environment — including cloud-hosted or third-party-administered instances. Send written inquiries to all critical HR, payroll, and benefits vendors asking about their patch status and exposure to CVE-2026-35273. Document every response.

2. Apply Oracle’s Emergency Mitigations Today — Don’t Wait for the Full Patch

The Gap Organizations that know they run PeopleSoft are holding off until Oracle releases its formal patch — meanwhile ShinyHunters is actively scanning for exposed endpoints. Every unpatched hour is an open window into your systems.

The Fix Contact your Oracle support representative or managed IT provider today to apply Oracle’s available emergency mitigations. Restrict external access to /PSEMHUB/ and /PSIGW/ endpoints at your firewall or web application firewall. Block the known attacker IP ranges published by Mandiant’s research team. If you find any indicators of compromise during your log review, treat it as an active incident immediately — not a maintenance item.

3. Build (or Test) Your Incident Response Plan Before You Need It

The Gap Most Las Vegas SMBs focus on preventing direct attacks but have no written plan for when a third-party vendor calls at 2 a.m. to report that your employee data was included in a breach.

The Fix Review your cyber insurance policy to confirm coverage for third-party breach events. Designate a single point of contact — internal or external — who owns your breach response. Know Nevada’s NRS 603A notification deadline (45 days for most incidents). If you don’t have a documented incident response plan, CMIT Solutions of Las Vegas can help you build one this week — before ShinyHunters or any other threat actor forces that conversation.

Las Vegas Businesses: Don’t Wait for the Breach

CVE-2026-35273 is being actively exploited right now. Find out if your organization is exposed — before ShinyHunters does.

Get a Free Security Assessment

Defending Las Vegas with CMIT Solutions

CMIT Solutions of Las Vegas has protected Clark County businesses for years — from healthcare providers and construction firms to professional services companies and government contractors. When critical vulnerabilities like CVE-2026-35273 emerge, the organizations that weather the storm are the ones with managed cybersecurity partners actively monitoring their environment around the clock. We push emergency mitigations the same day Oracle issues advisories, hunt for indicators of compromise before attackers establish persistence, and stand ready to respond if the worst happens — so you can run your business instead of managing a breach.

Sources

Lawrence Abrams, “Oracle mitigates PeopleSoft zero-day exploited in data theft attacks,” BleepingComputer, June 11, 2026

Mandiant, “Threat Actor Exploitation of Oracle PeopleSoft CVE-2026-35273,” Mandiant Threat Research, June 2026

Protect Your Las Vegas Business Today

ShinyHunters is not waiting. Neither should you. CMIT Solutions of Las Vegas delivers enterprise-grade cybersecurity to Clark County businesses of every size — with 24/7 monitoring, rapid threat response, and local experts who know the Nevada threat landscape.

Schedule Your Free Assessment

Prefer to talk? Call (702) 725-2877 or email hello@cmitsolutions.com

Back to Blog