INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
U.S. CISA Adds Oracle Vulnerability to Known Exploited Catalog
| 2026-06-13 09:19 CRITICAL HIGHExecutive Summary AI-generated
The threat landscape is increasingly complex, with numerous organizations falling victim to sophisticated cyber attacks. Mandiant's notification of over 100 US universities and colleges underscores the vulnerability of higher education institutions to exploitation by nation-state actors like ShinyHunters. The use of Oracle PeopleSoft Enterprise PeopleTools as a critical infrastructure component makes it an attractive target for attackers seeking remote code execution vulnerabilities, such as CVE-2026-35273. Organizations must prioritize robust security measures and threat awareness to mitigate these risks and protect against similar attacks in the future.
Technical Mitigations AI-generated
* Implement secure file server configurations, such as password protection and authentication requirements.
* Regularly update and patch operating systems, applications, and services to ensure the latest security patches are applied.
* Monitor network traffic for suspicious activity and implement intrusion detection and prevention systems (IDPS) or firewalls to block unauthorized access.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-35273CVE-2026-35273
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
technologytechnology
Incident Timeline
May 27, 2026
Threat actors exploited a known vulnerability in Oracle PeopleSoft Enterprise PeopleTools, which was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) catalog of Known Exploited Vulnerabilities on May 27, 2026.
between May 27, 2026
Threat actors exploited CVE-2026-35273, a critical remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-35273
The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of
CVE-2026-35273
, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.”
vulnerability
CVSS score of 9.8
The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of
CVE-2026-35273
, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.”
tactic
Remote Code Execution
The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of
CVE-2026-35273
, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.”
May 27
The attackers installed MeshCentral version 1.1.59 on May 27 at 22:14 UTC.
Click on any entity below to view its context and source!
infrastructure
1.1.59
On May 27 at 22:14 UTC, the attackers installed MeshCentral version 1.1.59.
organisation
UTC
On May 27 at 22:14 UTC, the attackers installed MeshCentral version 1.1.59.
June 9, 2026
Threat actors exploited CVE-2026-35273, a critical remote code execution vulnerability in the Environment Management component of U.S. CISA's Oracle PeopleSoft Enterprise PeopleTools.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-35273
The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of
CVE-2026-35273
, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.”
vulnerability
CVSS score of 9.8
The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of
CVE-2026-35273
, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.”
tactic
Remote Code Execution
The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of
CVE-2026-35273
, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.”
organisation
Google
reads the
report
published by Google.
June 10, 2026
The attackers exploited a zero-day vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 by using the MeshCentral CLI tool to run commands on compromised endpoints, mapping configurations and reading sensitive files.
Click on any entity below to view its context and source!
organisation
Oracle’s
Because this activity predates Oracle’s June 10, 2026 advisory, the vulnerability was exploited as a zero-day.”
organisation
WebLogic
On successful login it copies a file named
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
into WebLogic and Process Scheduler directories, both as an extortion marker and as a propagation confirmation the operators could verify remotely.
organisation
ShinyHunters
Exfiltration went out compressed with
zstd
, followed by an outbound SSH connection to
176.120.22.24
, the IP hosting the public mirror of the ShinyHunters data leak site.
infrastructure
8.61
PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.
infrastructure
8.62
PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.
organisation
PeopleTools
PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.
organisation
Oracle
PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.
infrastructure
Windows
“The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named
meshagent32-azure-ops.exe
,
meshagent64-azure-ops.exe
, and
meshagent64-v2.exe
.” reads the report.
organisation
Microsoft Azure
“The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named
meshagent32-azure-ops.exe
,
meshagent64-azure-ops.exe
, and
meshagent64-v2.exe
.” reads the report.
organisation
CLI
They then used MeshCentral’s CLI tool
meshctrl.js
to run commands on compromised endpoints: mapping Oracle PeopleSoft configurations, reading process scheduler config files, parsing internal host tables, and inspecting WebLogic XML configs to identify additional targets inside each victim network.
organisation
WebLogic XML
They then used MeshCentral’s CLI tool
meshctrl.js
to run commands on compromised endpoints: mapping Oracle PeopleSoft configurations, reading process scheduler config files, parsing internal host tables, and inspecting WebLogic XML configs to identify additional targets inside each victim network.
organisation
IP
Researcher @nahamike01 publicly flagged open directories on five sequential IP addresses, all running Python’s built-in HTTP server on port 8888.
organisation
Microsoft Azure NetApp Files
The domain was chosen to look like Microsoft Azure NetApp Files.
organisation
MeshCentral
MeshCentral is legitimate open-source remote management software, which means the traffic blends into normal administrative activity and doesn’t trigger obvious alerts.
organisation
PeopleSoft
The script parses
/etc/hosts
for internal PeopleSoft node hostnames, then sprays a hardcoded list of usernames and passwords against each one over SSH.
organisation
SSH
The script parses
/etc/hosts
for internal PeopleSoft node hostnames, then sprays a hardcoded list of usernames and passwords against each one over SSH.
organisation
The
University of Nottingham
The
University of Nottingham
is among the first confirmed victims.
June 11
ShinyHunters used a known exploit of the Oracle PeopleSoft Enterprise PeopleTools vulnerability to target Mandiant.
Click on any entity below to view its context and source!
attribution
ShinyHunters
This week, Mandiant and Google’s Threat Intelligence Group published an analysis of an active
ShinyHunters
campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited.
attribution
Mandiant
This week, Mandiant and Google’s Threat Intelligence Group published an analysis of an active
ShinyHunters
campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited.
attribution
Google’s Threat Intelligence Group
This week, Mandiant and Google’s Threat Intelligence Group published an analysis of an active
ShinyHunters
campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited.
May 27 to June 9
The U.S. CISA added the Oracle PeopleSoft Enterprise PeopleTools zero-day flaw to its Known Exploited Vulnerabilities catalog from May 27 to June 9.
2026/06/13
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a remote code execution vulnerability in Oracle PeopleSoft's Environment Management component to its Known Exploited Vulnerabilities catalog due to the presence of this flaw in 68% of over 100 organizations, including universities and colleges primarily located in the United States.
Click on any entity below to view its context and source!
organisation
Mandiant
Sixty-eight percent of the more than 100 organizations Mandiant notified were universities and colleges, most of them in the United States.
victims
100 organizations
Sixty-eight percent of the more than 100 organizations Mandiant notified were universities and colleges, most of them in the United States.
organisation
Oracle PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools is the underlying technology platform used to build, run, administer, and customize Oracle PeopleSoft applications.
organisation
Oracle PeopleSoft’s Environment Management
The flaw
CVE-2026-35273
is a remote code execution vulnerability in Oracle PeopleSoft’s Environment Management component.
organisation
the Environment Management Hub
Just network access to the Environment Management Hub endpoint and you can take over the server.
June 15, 2026
Threat actors used a known exploit of Oracle PeopleSoft Enterprise PeopleTools to target U.S. federal agencies, which CISA ordered to fix by June 15, 2026.
Tactical Metrics
Metrics
victims
100
Organizations
Click for context!
Sixty-eight percent of the more than 100 organizations Mandiant notified were universities and colleges, most of them in the United States.
Metrics
infrastructure
8.61
Software Version
PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.
Metrics
infrastructure
8.62
Software Version
PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.
Metrics
infrastructure
Windows
Affected Product
“The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named
meshagent32-azure-ops.exe
,
meshagent64-azure-ops.exe
, and
meshagent64-v2.exe
.” reads the report.
Metrics
infrastructure
1.1.59
Software Version
On May 27 at 22:14 UTC, the attackers installed MeshCentral version 1.1.59.
Intelligence Sources
Security Affairs
2026-06-13
Security Affairs
2026-06-13
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:33
Comprehensive Tactical Telemetry
Highly Correlated Entities
20x
organisation
Identified Entity
Mandiant
entity
12x
attribution
Attributing Entity
Google Threat Intelligence Group
authority
9x
timeline
Temporal Reference
May 27, 2026
date
5x
tactic
Cyber Operation Type
Extortion
tactic
3x
infrastructure
Software Version
8.61
version
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
Contextual Telemetry
Context Block
9 METRICS
target region
Target Country
United States
country
victims
Organizations
100
organizations
industry
Targeted Sector
Technology
sector
vulnerability
Exploited CVE
CVE-2026-35273
cve
vulnerability
CVSS Score
10
score
general metric
Versions
9
versions
infrastructure
Affected Product
Windows
software
general metric
Port
8,888
port
general metric
Unique Email Addresses
455,000
unique email addresses
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.