HOMEVULNERABILITIESCVE-2026-3527
MEDIUM

CVE-2026-3527

CWE-306Published: March 26, 2026· Updated: Mar 31, 2026

6.5
CVSS v3.1
EPSS:0.03%probability of exploitation in 30 daysPercentile:9.8th

Official Description

Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.

NVD Source

Technical Analysis

CVE-2026-3527 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityLow
IntegrityLow
AvailabilityNone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Vendors & Products

ceriumsoft1 product
ajax dashboard
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2026-3527

CISA Adds One Known Exploited Vulnerability to Catalog
CISA Alerts· Jun 12, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies, updating BOD 22-01. BOD 26-04 reinforces the importance of the KEV catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically tho [xlite_meta score:48 src:CISA Alerts xlite_fp:5a46b7e568b3f85ac4620f992424f0be2316f249c7f6c7bf2539638b45060663]

Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
SecurityWeek· Jun 12, 2026

Oracle has mitigated CVE-2026-35273, but it has not publicly confirmed the vulnerability’s in-the-wild exploitation. The post Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters appeared first on SecurityWeek. [xlite_meta score:56 src:SecurityWeek xlite_fp:f413d42f81b403721b8ee05730403ed33c325916d3b55002dbe7f1d557ad76ce]

ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The Hacker News· Jun 11, 2026

The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest. Google's Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a [xlite_meta score:56 src:The Hacker News xlite_fp:968b5598cbf048a4b2d1debfd9c31c9e1f2281ba0abbd9f9207b14505b1e5873]

Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
BleepingComputer· Jun 11, 2026

Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks. [...] [xlite_meta score:70 src:BleepingComputer xlite_fp:24410115fcfb868a57cd6d21a3fcfac16d601dd8af8457e6dbff6c58cbc83407]

ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
Mandiant Blog· Jun 11, 2026

Introduction Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component. The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day. Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Most of these organizations were based in the United States, and 68 percent operated within the higher education sector. Subseq

Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks
SecurityWeek· Jun 11, 2026

Oracle has released mitigations for CVE-2026-35273, but it has not said whether it’s a zero-day exploited in ShinyHunters attacks. The post Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks appeared first on SecurityWeek. [xlite_meta score:56 src:SecurityWeek xlite_fp:6607f8985e3bc881c0061d636fe763c8c9dbc9a28c62b5c5a446e604aa77fe75]

All References (1)

Quick Facts

CVE IDCVE-2026-3527
CVSS Score6.5 / 10
SeverityMEDIUM
WeaknessCWE-306
CISA KEVNo
EPSS (30d)0.03%
Affected1 vendor
PublishedMar 26, 2026

Related CVEs (CWE-306)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-3527 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.