{"id":60900,"date":"2026-06-18T00:00:00","date_gmt":"2026-06-18T00:00:00","guid":{"rendered":"urn:uuid:9cb6f965-8ff1-54fc-d66c-657321fd1436"},"modified":"2026-06-18T00:00:00","modified_gmt":"2026-06-18T00:00:00","slug":"peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/","title":{"rendered":"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/peoplesoft:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2026-06-18\"> <meta property=\"article:tag\" content=\"cyber threats\"> <meta property=\"article:section\" content=\"latest news\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/f\/PeopleTools.html\"> <title>PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.cc255fd374a145c2653503eb2da45983.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.47ce60d92d94610907e7a2cbd6fbca69.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/f\/PeopleTools.html\"><br \/>\n<meta property=\"og:title\" content=\"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/f\/peoplesoft.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/f\/peoplesoft.jpg\"> <meta name=\"user-country-code\" content=\"VN\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.807770841841\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"215673528\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9\">\n<div class=\"article-details\" role=\"heading\" readability=\"38\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">A pre-authentication remote code execution (RCE) chain in Oracle PeopleSoft PeopleTools abuses the Integration Broker&#8217;s PSIGW gateway to execute code inside the application server&#8217;s Java virtual machine (JVM), evading behavioral and network sensors.<\/p>\n<p class=\"article-details__author-by\">By: Jacob Santos <time class=\"article-details__date\">Jun 18, 2026<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div>\n<div class=\"richText\">\n<div>\n<h2><span class=\"body-subhead-title\">Key takeaways<\/span><\/h2>\n<ul>\n<li><span class=\"rte-red-bullet\">A pre-authentication remote code execution (RCE) chain in Oracle PeopleSoft PeopleTools reaches an internal-only management servlet through a server-side request forgery (SSRF) in the PSIGW gateway, then gains code execution through Java XMLDecoder deserialization. Oracle assigned <a href=\"https:\/\/www.oracle.com\/security-alerts\/alert-cve-2026-35273.html\" target=\"_blank\">CVE-2026-35273<\/a> (CVSS 9.8) and released an out-of-band patch on June 10, 2026.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The chain affects PeopleTools 8.61, and 8.62, including installations that were fully patched before the out-of-band advisory, because Oracle\u2019s prior serialization-filter hardening does not cover this XMLDecoder code path.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The chain is <b>behaviorally quiet<\/b>: Its final step executes inside the WebLogic JVM on a web-tier restart, with no spawned child process and no required outbound beacon. Detection logic that watches for \u201cJava spawns a shell\u201d or for an on-the-wire exploit signature will, in the common case, see nothing.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">TrendAI\u2122 protections address this threat across the network and endpoint layers, including TrendAI\u2122 Deep Discovery rules and TrendAI\u2122 TippingPoint, TrendAI Vision One\u2122 Server and Workload Protection (SWP), and TrendAI\u2122 Deep Security filters. More guidance may be found in this entry\u2019s recommendations section.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"48.506883891693\">\n<div readability=\"44.184488297384\">\n<p>Enterprise resource planning systems handle some of the most sensitive data an organization holds, but they are also deeply connected to internal infrastructure. When a pre-authentication remote code execution (RCE) chain surfaces in one of the most widely deployed ERP platforms and is already being exploited in the wild, it warrants close attention. In this blog entry, TrendAI\u2122 Research details a technical analysis of an active pre-authentication exploitation chain in Oracle PeopleSoft PeopleTools, the development platform used to build and maintain PeopleSoft applications. PeopleSoft PeopleTools versions 8.61, and 8.62 are affected, per Oracle\u2019s advisory.<\/p>\n<p>On June 10, 2026, Oracle issued an out-of-band security alert for <a href=\"https:\/\/www.oracle.com\/security-alerts\/alert-cve-2026-35273.html\" target=\"_blank\">CVE-2026-35273<\/a>, a critical unauthenticated remote code execution vulnerability (CVSS 9.8) in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. The vulnerability was reported to Oracle through the <a href=\"https:\/\/www.zerodayinitiative.com\/\" target=\"_blank\">TrendAI\u2122 Zero Day Initiative\u2122 (ZDI)<\/a>. One day later, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/shinyhunters-targets-education-sector-oracle-exploit\/\" target=\"_blank\">Mandiant<\/a> published a report attributing in-the-wild exploitation to SHADOW-AETHER-015 (ShinyHunters), documenting a campaign that ran from May 27 through June 9, 2026, two weeks before the vendor advisory and targeted over 100 organizations, predominantly in higher education.<\/p>\n<p>Pre-authentication RCE on an enterprise application is severe, but not new. The notable property of this vulnerability is not its impact, but its near-total lack of observability. The final code-execution step runs through Java\u2019s XMLDecoder inside the application server\u2019s own Java virtual machine (JVM), fires on a restart rather than on the inbound request, and needs no child process and no outbound beacon to succeed. A defender watching the usual places sees a quiet system.<\/p>\n<p>Our researchers discovered new information about this vulnerability, which was responsibly disclosed to Oracle as part of our investigation. This blog documents the chain step by step, explains the single mechanic that makes it so hard to see, and turns that into concrete guidance for defenders. TrendAI\u2122 also published <a href=\"https:\/\/success.trendmicro.com\/en-US\/solution\/KA-0023679\" target=\"_blank\">Security Alert KA-0023679<\/a> with an overview and initial detection guidance.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<h2><span class=\"body-subhead-title\">What PSIGW and PSEMHUB actually are<\/span><\/h2>\n<p>Oracle PeopleSoft runs human-resources, financials, and campus-management workloads for large enterprises, government agencies, and universities. Two PeopleSoft components matter here:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The <b>Integration Broker<\/b> is PeopleSoft\u2019s messaging layer, the machinery that lets PeopleSoft exchange data with other systems. It exposes a public-facing gateway, the <b>PeopleSoft Integration Gateway (PSIGW)<\/b>, and that gateway publishes an unauthenticated listening connector at \/PSIGW\/HttpListeningConnector. Its job is to accept inbound integration messages.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The <b>PeopleSoft Environment Management Hub (PSEMHUB)<\/b> is a separate, internal-only servlet used to manage PeopleSoft environments. It is not meant to be reachable from untrusted networks. Access to it is gated by an IP-based allow-list check named validateClient, which is supposed to ensure only trusted hosts can talk to the hub.<\/span><\/li>\n<\/ul>\n<p>The vulnerability lives between those two components: A public gateway that will faithfully relay a request, and an internal servlet that trusts requests which appear to come from the local host. Bridge that seam and an external, unauthenticated attacker is suddenly talking to an internal management endpoint.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<h2><span class=\"body-subhead-title\">Methodology<\/span><\/h2>\n<p>The chain proceeds in six steps. The description below is reconstructed from Trend ZDI reproduction of the exploit and from incident analysis.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><b>Step 1 &#8211; Pre-authentication SSRF at the gateway<\/b><\/p>\n<p>The attacker sends an unauthenticated POST to the Integration Broker\u2019s listening connector:<\/p>\n<p><span class=\"blockquote\">POST \/PSIGW\/HttpListeningConnector<\/span><\/p>\n<p>The request body is a PeopleSoft <b>IBRequest<\/b> XML message whose ConnectorParam carries a URL that points back at the server itself; for example, http(s):\/\/localhost\/PSEMHUB\/hub.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><b>Step 2 &#8211; The validateClient bypass<\/b><\/p>\n<p>Because the gateway issues that follow-on request <i>from itself<\/i>, the inbound call to \/PSEMHUB\/hub appears to originate from localhost. That satisfies the IP-based validateClient allow-list meant to restrict the hub to trusted hosts. This is a textbook <b>server-side request forgery (SSRF)<\/b>: The attacker borrows the server\u2019s own identity to reach an endpoint they could never reach directly, and they now talk to the PSEMHUB hub servlet pre-authentication.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><b>Step 3 &#8211; Staging on disk<\/b><\/p>\n<p>Through the hub, the attacker writes attacker-controlled content under the transaction staging directory envmetadata\/transactions\/.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><b>Step 4 &#8211; Persistence as a planted XML object<\/b><\/p>\n<p>A crafted XML payload is written under envmetadata\/data\/environment\/. At this point nothing has executed; the payload sits dormant on disk, waiting.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><b>Step 5 &#8211; Deserialization to code execution<\/b><\/p>\n<p>On the next <b>web-tier restart<\/b>, PSEMHUB\u2019s XMLDecoder deserializes the planted XML and instantiates attacker-chosen objects. That yields <b>RCE as the web-tier service account<\/b>: SYSTEM on Windows, psadm2 on Unix-like hosts. This is the step that earlier patching did not address: Oracle\u2019s prior serialization-filter hardening does not cover the XMLDecoder path, &nbsp;which is why installations that had applied all previous patches remained vulnerable until Oracle&#8217;s patch.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><b>Step 6 &#8211; Post-exploitation options<\/b><\/p>\n<p>From code execution, the operator chooses what comes next. Two options were seen in analysis:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Web shell.<\/b> Drop a JSP web shell into the PSEMHUB.war docroot for interactive, persistent access.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Credential coercion.<\/b> Coerce outbound SMB\/445 to capture or relay the machine account\u2019s NetNTLM credentials.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<h2><span class=\"body-subhead-title\">The one mechanic that makes this chain hard to see<\/span><\/h2>\n<p>The single most important detail for defenders is in Step 5: <b>The trigger is a restart, and the execution is in-process.<\/b><\/p>\n<p>There is a deliberate time gap between persistence (Steps 3\u20134) and execution (Step 5). When execution finally happens, it happens <i>inside the WebLogic JVM<\/i>. XMLDecoder deserialization and JSP web shell execution produce no child-process telemetry unless a web shell explicitly runs an operating-system command. A successful exploitation that stops at in-JVM code execution therefore generates none of the parent\/child process anomalies that behavioral detection relies on, and the SSRF pivot itself targets localhost \u2014 a loopback request that never crosses a network sensor.<\/p>\n<p>This is, by construction, a chain built to leave little behind. In-JVM deserialization and web shell instantiation produce no file or process payload unless an operating-system command runs, and a loopback SSRF produces nothing on the wire. Conventional detection that waits for an on-the-wire exploit signature or a \u201cJava spawns a shell\u201d anomaly will, in the common case, have nothing to fire on \u2014 which is precisely why the hunt has to move to the persistence paths and the restart instead.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Two benign patterns can look superficially like the chain, and both must be excluded before anything is called \u201cexploitation\u201d:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Integration Broker east-west traffic flagged by an unrelated signature.<\/b> PeopleSoft\u2019s own internal Integration Broker SOAP\/XML can trip network signatures written for other products; a Django-exploit signature, for example, will misfire on legitimate PSIGW traffic. Before escalating any PSIGW hit, confirm the source is genuinely external \u2014 internal-to-internal Integration Broker chatter is normal east-west traffic, not exploitation.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Legitimate writes under envmetadata\/.<\/b> PeopleSoft Change Assistant and Veritas NetBackup both write to these paths in normal operation. Any persistence rule that does not allow-list these will drown in false positives.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div class=\"responsive-table-wrap\" readability=\"10\">\n<h2><span class=\"body-subhead-title\">MITRE ATT&amp;CK techniques<\/span><\/h2>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\">\n<tbody>\n<tr>\n<td width=\"106\" valign=\"top\"><b>Tactic<\/b><\/td>\n<td width=\"132\" valign=\"top\"><b>Technique<\/b><\/td>\n<td width=\"70\" valign=\"top\"><b>ID<\/b><\/td>\n<td width=\"220\" valign=\"top\"><b>How it appears here<\/b><\/td>\n<\/tr>\n<\/tbody>\n<tbody readability=\"6\">\n<tr readability=\"6\">\n<td width=\"106\" valign=\"top\">Initial access<\/td>\n<td width=\"132\" valign=\"top\">Exploit public-facing application<\/td>\n<td width=\"70\" valign=\"top\">T1190<\/td>\n<td width=\"220\" valign=\"top\">Unauthenticated SSRF at POST \/PSIGW\/HttpListeningConnector, pivoting to the internal PSEMHUB hub and triggering XMLDecoder code execution<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"106\" valign=\"top\">Persistence<\/td>\n<td width=\"132\" valign=\"top\">Server software component: web shell<\/td>\n<td width=\"70\" valign=\"top\">T1505.003<\/td>\n<td width=\"220\" valign=\"top\">Optional JSP web shell dropped into the PSEMHUB.war docroot<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"106\" valign=\"top\">Credential access<\/td>\n<td width=\"132\" valign=\"top\">Forced authentication<\/td>\n<td width=\"70\" valign=\"top\">T1187<\/td>\n<td width=\"220\" valign=\"top\">Optional outbound SMB\/445 coercion for NetNTLM capture or relay<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><span class=\"rte-icon-component-text\">Table 1. ATT&amp;CK mapping for the PSEMHUB chain. The server-side deserialization that drives code execution is treated as the mechanism of T1190 rather than a separate technique, because ATT&amp;CK has no clean mapping for server-side XMLDecoder deserialization.<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<h2><span class=\"body-subhead-title\">Recommendations<\/span><\/h2>\n<p>&nbsp;Oracle released an out-of-band patch on June 10, 2026; apply it immediately on all PeopleTools 8.61 and 8.62 installations. Given that exploitation was observed as early as May 27, 2026, investigate for signs of compromise even after patching. Beyond patching, the following exposure-reduction and detection-engineering measures provide defense in depth:<\/p>\n<ol>\n<li><b>Take the listening connector off untrusted networks.<\/b> Ensure \/PSIGW\/HttpListeningConnector is not reachable from the internet, and place the Integration Broker gateway behind network controls that restrict who can reach it.<\/li>\n<li><b>Break the SSRF pivot.<\/b> Segment the gateway from the environment-management servlet so the PSEMHUB hub cannot be reached by a gateway-originated loopback request, and confirm that validateClient cannot be satisfied by self-originated traffic.<\/li>\n<li><b>Watch the persistence paths.<\/b> Monitor for unexpected writes under envmetadata\/transactions\/ and envmetadata\/data\/environment\/, and allow-list PeopleSoft Change Assistant and Veritas NetBackup so legitimate operations do not bury the signal.<\/li>\n<li><b>Treat web-tier restarts as security-relevant.<\/b> Where an agent can observe JVM class loading, alert on XMLDecoder instantiation in the PSEMHUB context, because the restart is the moment dormant persistence becomes live code execution.<\/li>\n<li><b>Hunt the optional artifacts.<\/b> Look for new JSP files in the PSEMHUB.war docroot, and restrict outbound SMB\/445 from web-tier hosts to defeat the optional credential-coercion step.<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Guidance also differs by role:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>For defenders:<\/b> Assume your behavioral and network sensors will not alert on a successful in-JVM exploitation. Pivot to the persistence-path and restart hunts above, and do not read a quiet SIEM as evidence you are unaffected.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>For decision-makers:<\/b> Treat this as a high-priority patching emergency. Investigate for signs of prior compromise even after applying the patch. The supplementary exposure question remains: &#8220;is our PSIGW gateway reachable from untrusted networks?&#8221; Prioritize an exposure review of any internet-facing PeopleSoft.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>For incident responders:<\/b> Preserve envmetadata\/ contents and web-tier restart logs first. The gap between persistence and execution means a planted XML object may sit dormant and fully recoverable before a restart fires it, so disk and restart timing carry more evidentiary value than process trees.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<h2><span class=\"body-subhead-title\">Conclusion<\/span><\/h2>\n<p>The vulnerability and its chain are well-sourced, and they describe a sobering pattern: A serious pre-authentication RCE can run end to end while producing almost no telemetry, because its final step lives inside the application\u2019s own JVM and fires on a restart rather than on the inbound request. A quiet system is not a safe one; silence is the predictable shape of a chain built to execute in-process and fire on a restart.<\/p>\n<p>&nbsp;That observability gap is the lasting lesson. The specific vulnerability is now patched, but the pattern of a public-facing gateway relaying requests to an internal servlet, with execution deferred to an in-JVM restart will appear again in other enterprise applications. Defenders who build detection around persistence paths and restart behavior, rather than waiting for process-tree anomalies or network signatures, will be better positioned when it does.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<h2><span class=\"body-subhead-title\">TrendAI\u2122 solutions<\/span><\/h2>\n<p>TrendAI Vision One\u2122 customers can act on this threat through coverage across the network and endpoint layers. The following rules and filters address this chain:<\/p>\n<p>&nbsp;<b>TrendAI\u2122 Deep Discovery\u2122<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Rule 5855, &#8220;PeopleSoft PeopleTools Environment Management Hub (PSEMHUB) SSRF Exploit \u2014 HTTP (Request).&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Rule 5863, &#8220;Oracle PeopleSoft HubMBeanPersistance Deserialization of Untrusted Data RCE Exploit \u2014 HTTP (Request).&#8221;<\/span><\/li>\n<\/ul>\n<p><b>TrendAI\u2122 TippingPoint\u2122<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Filter 47502, &#8220;CVE-2026-35273: HTTP: Oracle PeopleSoft Server-Side Request Forgery Vulnerability.&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Filter 47529, &#8220;ZDI-CAN-31817: Zero Day Initiative Vulnerability (Oracle PeopleSoft).&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Filter 47545, &#8220;ZDI-CAN-31818: Zero Day Initiative Vulnerability (Oracle PeopleSoft).&#8221;<\/span><\/li>\n<\/ul>\n<p><b>TrendAI\u2122 Deep Security\u2122, &nbsp;TrendAI Vision One\u2122 Server and Workload Protection (SWP), and TrendAI Vision One\u2122 Endpoint Security IPS<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Filter 1012580, &#8220;Oracle PeopleSoft PeopleTools SSRF Vulnerability (CVE-2026-35273).&#8221;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Filter 1012585, &#8220;Oracle PeopleSoft Untrusted Data Deserialization Vulnerability (ZDI-CAN-31817).&#8221;<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><b>Inbound SSRF entry and direct hub access<\/b> (Network Activity Data):<\/p>\n<p><span class=\"blockquote\">request:&#8221;\/PSIGW\/HttpListeningConnector&#8221; AND (request:&#8221;PSEMHUB\/hub&#8221; OR request:&#8221;localhost&#8221; OR request:&#8221;127.0.0.1&#8243;)<br \/>request:&#8221;\/PSEMHUB\/hub&#8221;<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><b>On-disk staging and XMLDecoder persistence<\/b> (Endpoint Activity Data), with the two known-benign writers excluded:<\/p>\n<p><span class=\"blockquote\">(objectFilePath:&#8221;envmetadata\/transactions&#8221; OR objectFilePath:&#8221;envmetadata\/data\/environment&#8221;)<br \/>&nbsp; AND NOT (processFilePath:&#8221;ChangeAssistant&#8221; OR processFilePath:&#8221;NetBackup&#8221; OR processFilePath:&#8221;bpbkar&#8221; OR processName:&#8221;psae&#8221;)<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><b>Optional JSP web shell in the PSEMHUB web application<\/b> (Endpoint Activity Data):<\/p>\n<p><span class=\"blockquote\">objectFilePath:&#8221;PSEMHUB.war&#8221; AND objectFilePath:&#8221;.jsp&#8221;<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div class=\"responsive-table-wrap\" readability=\"12\">\n<p><b>Hunt patterns (detection use \u2014 not attacker-owned indicators)<\/b><\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\">\n<tbody>\n<tr>\n<td width=\"202\" valign=\"top\"><b>Pattern<\/b><\/td>\n<td width=\"171\" valign=\"top\"><b>Where<\/b><\/td>\n<td width=\"155\" valign=\"top\"><b>Note<\/b><\/td>\n<\/tr>\n<\/tbody>\n<tbody readability=\"10\">\n<tr readability=\"2\">\n<td width=\"202\" valign=\"top\">POST \/PSIGW\/HttpListeningConnector<\/td>\n<td width=\"171\" valign=\"top\">Web\/proxy logs, IPS<\/td>\n<td width=\"155\" valign=\"top\">SSRF entry point<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"202\" valign=\"top\">IBRequest ConnectorParam URL=http(s):\/\/localhost\/PSEMHUB\/hub<\/td>\n<td width=\"171\" valign=\"top\">Request body<\/td>\n<td width=\"155\" valign=\"top\">Loopback pivot bypassing validateClient<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"202\" valign=\"top\">Writes under envmetadata\/transactions\/<\/td>\n<td width=\"171\" valign=\"top\">Filesystem\/EDR<\/td>\n<td width=\"155\" valign=\"top\">Staging \u2014 allow-list Change Assistant and Veritas NetBackup<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"202\" valign=\"top\">XML writes under envmetadata\/data\/environment\/<\/td>\n<td width=\"171\" valign=\"top\">Filesystem\/EDR<\/td>\n<td width=\"155\" valign=\"top\">XMLDecoder persistence \u2014 same allow-list<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"202\" valign=\"top\">New JSP under PSEMHUB.war docroot<\/td>\n<td width=\"171\" valign=\"top\">Filesystem\/EDR<\/td>\n<td width=\"155\" valign=\"top\">Optional web shell<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"202\" valign=\"top\">Outbound SMB\/445 from a web-tier host to an external IP<\/td>\n<td width=\"171\" valign=\"top\">Network<\/td>\n<td width=\"155\" valign=\"top\">Optional NetNTLM coercion<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><span class=\"rte-icon-component-text\">Table 2. Hunt patterns for the PSEMHUB chain. These are detection and hunting aids, not attacker-controlled indicators, and several require allow-listing to control false positives.<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/f\/PeopleTools.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A pre-authentication remote code execution (RCE) chain in Oracle PeopleSoft PeopleTools abuses the Integration Broker&#8217;s PSIGW gateway to execute code inside the application server&#8217;s Java virtual machine (JVM), evading behavioral and network sensors. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9534],"class_list":["post-60900","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-latest-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-18T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/peoplesoft:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM\",\"datePublished\":\"2026-06-18T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/\"},\"wordCount\":2234,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/peoplesoft:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Latest News\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/\",\"name\":\"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/peoplesoft:Large?qlt=80\",\"datePublished\":\"2026-06-18T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/peoplesoft:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/peoplesoft:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/","og_locale":"en_US","og_type":"article","og_title":"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-06-18T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/peoplesoft:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM","datePublished":"2026-06-18T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/"},"wordCount":2234,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/peoplesoft:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Latest News"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/","url":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/","name":"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/peoplesoft:Large?qlt=80","datePublished":"2026-06-18T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/peoplesoft:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/peoplesoft:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/peoplesoft-peopletools-pre-authentication-rce-a-psigw-ssrf-chain-that-executes-inside-the-jvm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60900","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60900"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60900\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60900"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60900"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}