Oracle July 2026 Critical Patch Update: 5 CRITICAL and 12+ HIGH Severity Vulnerabilities Across WebLogic, PeopleSoft, Identity Manager, and WebCenter

nick

Oracle July 2026 Critical Patch Update: 5 CRITICAL and 12+ HIGH Severity Vulnerabilities Across WebLogic, PeopleSoft, Identity Manager, and WebCenter

by

Date: July 15, 2026 | TLP: CLEAR | Severity: CRITICAL

Overview

Oracle’s July 2026 Critical Patch Update (CPU) addresses 5 CRITICAL (CVSS β‰₯ 9.0) and over 12 HIGH severity vulnerabilities across its flagship product suite. The affected products include Oracle WebLogic Server, Oracle PeopleSoft, Oracle Identity Manager, Oracle WebCenter, WebCenter Capture, and Oracle VirtualBox. Remote, unauthenticated attackers can exploit several of these flaws to achieve complete compromise of affected systems.

Of particular concern, CVE-2026-35278 in PeopleSoft is being actively exploited in the wild by the ShinyHunters threat group, chained with CVE-2026-35273 to achieve remote code execution. Organizations running PeopleSoft must treat this CPU as emergency-priority.

πŸ”₯ ACTIVE EXPLOITATION: ShinyHunters have been observed weaponizing PeopleSoft vulnerabilities (CVE-2026-35273 / CVE-2026-35278) in live intrusions. Immediate patching is non-negotiable for PeopleSoft environments.

Top CRITICAL Vulnerabilities

CVE Product CVSS Attack Vector Impact Auth Required
CVE-2026-35263 Oracle WebLogic Server 9.9 Network (T3/IIOP) Remote Code Execution No
CVE-2026-35278 Oracle PeopleSoft (PeopleTools) 9.8 Network (HTTP) Remote Code Execution ⚑ No
CVE-2026-35268 Oracle Identity Manager 9.9 Network (HTTP) Remote Code Execution No
CVE-2026-35270 Oracle WebCenter Sites 9.1 Network (HTTP) Remote Code Execution No
CVE-2026-35280 Oracle WebCenter Capture 9.9 Network (HTTP) Remote Code Execution No
CVE-2026-35281 Oracle WebCenter Capture 9.9 Network (HTTP) Remote Code Execution No

🚨 PeopleSoft Emergency: ShinyHunters Active Exploitation

CVE-2026-35278 (CVSS 9.8) is a pre-authentication remote code execution vulnerability in Oracle PeopleSoft PeopleTools. It allows an unauthenticated attacker with network access via HTTP to fully compromise the PeopleSoft application server and underlying host.

This vulnerability is being actively exploited in conjunction with CVE-2026-35273 by the ShinyHunters threat actor group. ShinyHunters β€” notorious for high-profile breaches of Microsoft, AT&T, and Ticketmaster β€” have been observed in live intrusion campaigns chaining these PeopleSoft flaws to:

  • Gain initial access via CVE-2026-35278 (pre-auth RCE)
  • Escalate privileges and pivot using CVE-2026-35273
  • Exfiltrate sensitive HR, payroll, and PII data from PeopleSoft HCM databases
  • Deploy persistence mechanisms for long-term access

IMMEDIATE ACTION REQUIRED:

  • Apply the July 2026 CPU to all PeopleSoft environments within 72 hours
  • If patching is delayed, restrict network access to PeopleSoft HTTP interfaces to trusted IP ranges only
  • Enable detailed logging on PeopleSoft application servers and monitor for unusual HTTP POST patterns
  • Conduct a compromise assessment if your PeopleSoft instance has been internet-facing

Other Notable HIGH Severity CVEs

CVE Product CVSS Attack Vector Impact
CVE-2026-35259 Oracle WebLogic Server 8.8 Network (T3/HTTP) Remote Code Execution
CVE-2026-35271 PeopleSoft + WebLogic 8.7 Network (HTTP) Privilege Escalation / RCE
CVE-2026-35275 Oracle VirtualBox 7.5 Local / Guest-to-Host Host Escape / Privilege Escalation
  • CVE-2026-35259 (WebLogic 8.8): Authenticated RCE via T3/HTTP protocols. While requiring authentication, it presents a significant risk in environments where credentials may be obtained through phishing or credential-stuffing attacks. Combined with any of the pre-auth CRITICALs, this enables full domain escalation.
  • CVE-2026-35271 (PeopleSoft WebLogic 8.7): Affects PeopleSoft deployments that leverage embedded WebLogic components. Allows authenticated attackers to escalate privileges and potentially achieve code execution in the PeopleSoft-WebLogic integration layer.
  • CVE-2026-35275 (VirtualBox 7.5): A guest-to-host escape vulnerability that enables a malicious VM to break out of the hypervisor sandbox. Critical for security researchers, malware analysts, and any environment running untrusted VMs.

Fix: Apply the July 2026 Critical Patch Update

Oracle has released patches for all identified vulnerabilities in the July 2026 CPU. Organizations should:

  1. Download the CPU patches from Oracle Support (MOS)
  2. Prioritize PeopleSoft and WebLogic β€” these are the most exposed and actively targeted products
  3. Apply patches in this order:
    • Tier 1 (Emergency): PeopleSoft (CVE-2026-35278), WebLogic (CVE-2026-35263)
    • Tier 2 (Urgent): Identity Manager (CVE-2026-35268), WebCenter (CVE-2026-35270), WebCenter Capture (CVE-2026-35280/35281)
    • Tier 3 (Standard): VirtualBox (CVE-2026-35275), remaining HIGH severity patches
  4. Test patches in non-production environments before production deployment
  5. Validate patch application using Oracle OPatch or your enterprise vulnerability scanner
Note: Oracle CPUs are cumulative. Applying the July 2026 CPU includes fixes for all previous CPU patches for the product versions you are running.

Recommendations

  1. Patch Immediately: Deploy the July 2026 CPU to all affected Oracle products. PeopleSoft and internet-facing WebLogic instances must be treated as emergency-priority due to active ShinyHunters exploitation.
  2. Network Segmentation: Ensure Oracle middleware (WebLogic, PeopleSoft, Identity Manager) is not directly exposed to the internet. Use reverse proxies, WAFs, and network ACLs to restrict access to authorized IP ranges only.
  3. Enable Enhanced Logging: Configure detailed access and error logging on all Oracle application servers. Forward logs to your SIEM and set up alerting for anomalous HTTP patterns targeting Oracle endpoints.
  4. Compromise Assessment: Given active exploitation of PeopleSoft vulnerabilities, conduct a thorough review of PeopleSoft application servers for indicators of compromise (unexpected processes, new local accounts, unusual outbound connections, modified configuration files).
  5. Credential Hygiene: Rotate all PeopleSoft and WebLogic administrative credentials post-patching, as credential theft is a common follow-on to initial RCE.
  6. Monitor Oracle CPU Cycle: Subscribe to Oracle’s Critical Patch Update notifications and establish a recurring patch management process aligned with the quarterly CPU schedule (January, April, July, October).
  7. VirtualBox Users: Apply CVE-2026-35275 patches immediately on any host running untrusted or multi-tenant VMs. This guest-to-host escape vulnerability can compromise the entire hypervisor host.

References

This advisory is published for informational and defensive purposes. Organizations should validate all patches in their specific environments before production deployment.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

Β© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!