Oracle Just Patched CVE-2026-35273 — the PeopleSoft Zero-Day ShinyHunters Used on 100+ Orgs. WebLogic CVSS 10.0 Also in This Drop.
- Patrick Duggan
- 3 minutes ago
- 3 min read
Oracle's June 2026 Critical Security Patch Update shipped today. 245 patches, 243 unique CVEs, 122 marked critical.
Two items require immediate attention regardless of your Oracle footprint.
[CVE-2026-35273](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-35273) — PeopleSoft. Patch It Now.
This is the zero-day ShinyHunters exploited against more than 100 organizations in June 2026. We covered it extensively: unauthenticated remote code execution in Oracle PeopleSoft Enterprise PeopleTools, used to breach education organizations at scale, now spreading to healthcare and enterprise. Baxter, Blackboard, McKesson, Humana, and Optum all have confirmed PeopleSoft subdomains in public DNS.
The patch is in this CSPU. There is no reason to wait. Every organization running PeopleSoft that has not applied the fix is running the exact vulnerability ShinyHunters used to breach over a hundred organizations — with a public proof-of-concept that multiple researchers have now published.
The exploitation window opened months before Oracle shipped this patch. The PoC window opened weeks ago when researchers began publishing. Today Oracle closed the official remediation gap. Apply it.
[CVE-2026-21962](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-21962) — WebLogic. CVSS 10.0. Unauthenticated.
A maximum-severity unauthenticated remote code execution vulnerability in Oracle WebLogic Server. CVSS 10.0 means: network exploitable, no authentication, no user interaction, full impact on confidentiality, integrity, and availability.
Active exploitation has been confirmed on honeypots. CloudSEK's honeypot research captured attacks targeting CVE-2026-21962 alongside a cluster of older WebLogic CVEs — 2020-14882/14883, 2020-2551, and 2017-10271. The pattern is consistent: once a new WebLogic RCE is announced, threat actors run it alongside historical exploits to maximize coverage against partially patched deployments.
Organizations that patch CVE-2026-21962 but have not addressed the historical WebLogic CVEs remain exposed to lateral exploitation paths. The complete WebLogic remediation requires the new patch plus verification that prior critical CVEs are applied.
The Full Drop
245 patches across 11 product families:
Product Family | Patches | Notes |
Fusion Middleware | 106 | 43% of total — WebLogic, ADF, SOA Suite |
E-Business Suite | 55 | 6 unauthenticated RCE |
PeopleSoft | included | CVE-2026-35273 fix |
Communications | included | |
Enterprise Manager | included | |
JD Edwards | included | |
MySQL | included | |
Siebel CRM | included | |
Supply Chain | included | |
Systems | included | |
Virtualization | included |
Fusion Middleware at 106 patches is the largest single product family in the drop. If you run anything in the Oracle Fusion stack — WebLogic, ADF applications, SOA Suite, Oracle Service Bus — this update is material.
E-Business Suite's 6 unauthenticated RCE vulnerabilities are the second-highest urgency item after PeopleSoft and WebLogic. E-Business Suite runs business-critical financials, HR, and procurement at large enterprises. Unauthenticated RCE in that environment is catastrophic.
Why Oracle Went Monthly
Oracle historically patches quarterly. The shift to monthly patching reflects an acknowledgment that the quarterly cycle was too slow for the current exploitation environment. CVE-2026-35273 was being actively exploited by ShinyHunters before Oracle shipped a fix — the zero-day window ran for weeks. Monthly patching compresses that window.
The caveat: more frequent patches create more patch management overhead. Organizations that automated quarterly Oracle patching now need to run the same cycle monthly. The ops cost is real. The alternative — running known-exploited vulnerabilities for an extra 60 days — is worse.
The Watch List Implication
Our medical device and healthcare vendor risk watch list includes organizations with confirmed PeopleSoft exposure: Baxter (3 PeopleSoft subdomains including dev-ghcmobile.baxter.com), Blackboard, McKesson, Humana, and Optum. CVE-2026-35273 patch status for these organizations should be confirmed this week.
If any of them received the ShinyHunters targeting that hit 100+ organizations before this patch existed, their exposure window ran from whenever they were first targeted through today. The patch is available. Verification of application is the next step.
Sources: SecurityWeek — 245 patches — Tenable — CSPU analysis — Infosecurity Magazine — WebLogic RCE exploitation — Oracle advisory
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.