- peoplesoft
- ssrf
- rce
- cve
- oracle
- cloud
news
PeopleSoft SSRF PoC Enables Unauthenticated RCE (CVE-2026-35273)
Sploitus-indexed PoC chains SSRF via PSIGW HttpListeningConnector into cloud credential theft and remote code execution.
Summary
A proof-of-concept indexed on Sploitus as POC_cve_2026_35273 demonstrates unauthenticated remote code execution against Oracle PeopleSoft deployments by abusing server-side request forgery in the PSIGW HttpListeningConnector endpoint. The PoC supports multi-stage SSRF, automatic cloud metadata probing (AWS, Azure, GCP), credential harvesting, and several post-exploitation paths including SSM, RunCommand, web shells, and reverse shells.
This write-up summarizes the indexed research for defenders. OFFSITE.DARK did not author or release the exploit; Sploitus is cited as the aggregation source only.
Technical Details
The vulnerable surface is the PeopleSoft Integration Gateway listener, reachable at paths such as /PSIGW/HttpListeningConnector. The PoC sends crafted XML POST bodies that cause the gateway to fetch attacker-controlled or internal URLs.
| Aspect | Detail |
|---|---|
| Entry point | POST /PSIGW/HttpListeningConnector |
| Primitive | SSRF → cloud metadata / internal services |
| Cloud targets | AWS IMDS (169.254.169.254), Azure, GCP equivalents |
| RCE paths | SSM, RunCommand, planted web shells, reverse shells |
| Auth required | None (unauthenticated) |
Example manual SSRF probe from the indexed PoC:
curl -k -X POST https://target.edu/PSIGW/HttpListeningConnector \
-H "Content-Type: application/xml" \
-d 'http://169.254.169.254/latest/meta-data/'
The automated tool adds cloud detection, multi-hop SSRF for lateral movement inside the VPC, and credential exfiltration via cloud APIs rather than raw socket C2 — reducing obvious network indicators.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-35273 |
| CVSS (Sploitus) | 5.4 (Medium) |
| CWE | SSRF (CWE-918) |
| Component | PeopleSoft Integration Gateway / PSIGW |
| Sploitus date | 2026-06-13 |
Oracle PeopleSoft versions confirmed affected should be verified against the vendor security alert; treat any internet-exposed PSIGW listener as high priority until patched.
Impact
Successful exploitation allows an unauthenticated attacker to:
- Read cloud instance metadata and steal IAM keys, Azure tokens, or GCP service account credentials
- Pivot to internal HTTP services not exposed to the internet
- Achieve remote code execution on the application host or downstream cloud resources via stolen credentials and cloud management APIs
- Establish stealthy C2 using cloud-native APIs instead of direct outbound shells
Universities and large enterprises running PeopleSoft on cloud VMs with permissive IAM roles attached to application servers face the highest blast radius.
Mitigation
- Apply Oracle PeopleSoft security patches for CVE-2026-35273 as soon as vendor fixes are available.
- Block public access to
/PSIGW/HttpListeningConnectorat the WAF or reverse proxy unless strictly required; restrict by source IP/VPN. - Harden cloud metadata — enforce IMDSv2 on AWS, restrict metadata access via network policy, and avoid attaching broad IAM roles to PeopleSoft application instances.
- Monitor for outbound requests from PeopleSoft servers to link-local addresses (
169.254.0.0/16,100.64.0.0/10) and unexpected cloud API calls from application service accounts. - Segment PeopleSoft integration tiers from sensitive internal networks.
Sources
- Sploitus — POC_cve_2026_35273 (index source, not OFFSITE.DARK release)