1. CVE-2026-35273 — PeopleSoft PeopleTools EMHub (the one that actually got people breached)
This is the standout, and it’s worth walking through the full timeline because it’s a textbook case of zero-day-before-patch exposure.
The flaw sits in PeopleTools’ Updates Environment Management component — the Environment Management Hub, commonly abbreviated PSEMHUB — affecting versions 8.61 and 8.62. It carries a CVSSv3.1 score of 9.8, is remotely exploitable without authentication, and Trend Micro’s Zero Day Initiative classified the underlying flaw as server-side request forgery (CWE-918) rather than a straightforward injection bug. Oracle’s own framing keeps it simple: successful exploitation can lead to remote code execution.
The exploitation timeline is the real story. Mandiant traced active exploitation back to May 27, 2026 — two full weeks before Oracle published its out-of-band security alert on June 10 . In that window, ShinyHunters (tracked by Mandiant as UNC6240) worked through roughly 300 vulnerable PeopleSoft instances across more than 100 organizations , with 68% concentrated in higher education — unsurprising given Campus Solutions’ dominance in university enrollment and financial-aid systems. The University of Nottingham was the first confirmed casualty: around 40 GB of data including names, addresses, passport numbers, and in some cases ethnicity and disability records for roughly 455,000 current and former students ended up on ShinyHunters’ leak site.
Post-exploitation tradecraft is worth flagging for your SOC readers: attackers deployed a customized MeshCentral remote management agent disguised as a Microsoft Azure service (meshagent64-azure-ops.exe), with command-and-control traffic routed to a domain mimicking Azure infrastructure, followed by internal reconnaissance, lateral movement scripts, and zstd-compressed exfiltration . That’s a deliberate blend-in tactic — disguising C2 as cloud-native traffic is exactly the kind of thing that slips past teams who whitelist “Azure-looking” outbound connections without inspecting payload behavior.
There’s also a quietly important historical echo here: the exploited URI path, /PSIGW/HttpListeningConnector, overlaps with a PeopleSoft exploit chain documented back in 2017 for a different CVE on a related Integration Gateway connector . PeopleSoft’s integration gateway has been a recurring soft spot for nearly a decade — that’s a good editorial hook if you want to thread continuity into the piece.
Mitigation, per Rapid7 and Oracle: organizations should disable the EMHub service in multi-server configurations, or remove the PSEMHUB application entirely in single-server setups, apply the patch on an emergency basis, and hunt for compromise indicators even after patching— since the exploitation window predates the patch by two weeks, patching alone doesn’t retroactively confirm you weren’t already hit.
2. JD Edwards — disproportionate remote-exploit ratio
Easy to overlook next to PeopleSoft, but 20 new JD Edwards patches, 12 of them remotely exploitable without authentication— a 60% remote-unauth ratio, the highest proportion of any product family in this CSPU. Affected components span EnterpriseOne Tools (Enterprise Infrastructure Security, Web Runtime Security), General Ledger, Order Promising, and Accounts Payable modules. No active exploitation has been reported yet, but given JD Edwards’ footprint in manufacturing and supply chain ERP, this is worth a proactive patch push rather than waiting for a forcing event.
3. Oracle Communications — small count, full remote-unauth
Only 3 patches, but all three are remotely exploitable without authentication, and the patch for CVE-2026-34481 also folds in fixes for five other CVEs (2025-68161, 2026-34477/78/79/80) — meaning this is a consolidated fix for a vulnerability cluster, not an isolated bug. Communications products typically run in telco/carrier environments, so the blast radius per instance tends to be larger even with a low patch count.
4. E-Business Suite and Fusion Middleware — the dependency trap
EBS got 55 patches with 6 remotely exploitable without authentication , but the more important detail is structural: EBS inherits Database and Fusion Middleware components, and Oracle explicitly recommends applying the Database/FMW portion of the CSPU to EBS environments even though those CVEs don’t show up in the EBS-specific risk matrix . Since Fusion Middleware absorbed over 100 patches this cycle — the largest single share — any team that patches “EBS” by only touching the EBS-labeled bundle is leaving the most heavily patched layer untouched.
The throughline: Oracle’s shift to monthly CSPUs was supposed to shrink the exposure window between disclosure and patch. CVE-2026-35273 shows the limits of that model — the bug was exploited as a true zero-day two weeks before any advisory existed, so cadence alone doesn’t help if the vulnerability isn’t known yet. The actionable lesson for the writeup is less “patch faster” and more “verify external exposure of management/integration interfaces before you even know there’s a CVE to patch.”
| Product | New Patches | Remote, Unauth Exploitable |
|---|---|---|
| Fusion Middleware | 100+ | Majority critical/high |
| E-Business Suite | 55 | 6 |
| Enterprise Manager | 16 | Inherits DB/FMW exposure |
| Communications | 3 | All 3 |
