Your ERP system has no patch. Hackers are already inside.
Your ERP system has no patch. Hackers are already inside.
Oracle issued an emergency out-of-band security alert yesterday for CVE-2026-35273 — a critical unauthenticated remote code execution vulnerability in PeopleSoft PeopleTools 8.61 and 8.62. No password required. An attacker with HTTP access to the Environment Management Hub runs arbitrary code on your ERP server.
ShinyHunters and Cl0p are not waiting for a patch release date. Google’s Threat Intelligence Group has already notified over 100 organisations that had been breached. 68% of confirmed victims are in higher education — universities running PeopleSoft for student records, payroll, and HR. Malicious activity was recorded between May 27 and June 9. Oracle published mitigations on June 11, but no patch exists.
PeopleSoft is not a niche product. It runs payroll, student administration, and financial workflows at large DACH enterprises, universities, and public sector organisations. The data inside is exactly what ransomware groups and data extortion actors are after.
This follows the same pattern as SAP NetWeaver CVE-2025-31324 — which Mandiant identified as the most exploited enterprise vulnerability of the year in their M-Trends 2026 report. ERP systems are now an active front, not a theoretical risk.
Three things to do now: Isolate PeopleTools Environment Management Hub from external access — block PSEMHUB endpoints at the perimeter immediately. Audit access logs for the PSEMHUB component for the period May 27–June 9 using Oracle’s published indicators of compromise. If your ERP sits on PeopleTools 8.61 or 8.62, treat this as an active incident until isolation and log review are complete.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
