ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
Fraud group ShinyHunters used an undocumented flaw in Oracle PeopleSoft to break into business systems, steal data, and demand payment to keep it private. This campaign has hit universities hard.
Google’s Mandiant describes it in the following group as UNC6240, and dates the activity between May 27 and June 9. Oracle didn’t publish its advisory until June 10, so the error was date zero all along.
The flaw, CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It requires no login and no user interaction, just network access via HTTP, to take over the server. If you’re running PeopleSoft with an externally accessible Environmental Management Hub, that’s your exposure, and the quick move is to lock those repositories down.
The vulnerability resides in the Updates Environment Management component, a component behind the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools 8.61 and 8.62 as affected and says earlier, unsupported versions are likely vulnerable as well. Credit to researchers from the TrendAI Zero Day Initiative and TrendAI Research for this report.
Mandiant CTO Charles Carmakal confirmed that the insect is being exploited in the wild; Oracle did not say it was aware of the exploit. Its advice points to a patch availability document after signing in for support, and whether a full fix is available is unclear. For now, the guidelines are focused on mitigation.
The details of the operation became public because the attackers left their own information in the open. Researcher @nahamike01 has publicly marked open references. Mandiant then probed five consecutive IP addresses running a Python SimpleHTTP server on port 8888. Those servers revealed staging files: shared .bash_history, MeshCentral remote management agents disguised as Microsoft Azure binaries, and a lateral movement script.
The agents call home to the command and control server at azurenetfiles.net, a domain chosen to look like Azure NetApp Files. Script, named [victim]_fanout.sh, spreads over SSH by spraying a hard-coded list of usernames and passwords against internal hosts pulled from /etc/hosts, and then drops a tag file called README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into the PeopleSoft directory. The command history shows compressed data via zstd and an outgoing SSH connection to the public mirror server of the ShinyHunters leak site.
Mandiant notified more than 100 organizations whose IP addresses matched vulnerable locations. 68 percent were in higher education, most of them in the United States. Some blocked the work; some were compromised and sent data to the leak site.
The University of Nottingham is one of the first confirmed victims. Have I Been Pwned listed nearly 455,000 unique email addresses in the leaked set, which included current students and alumni, with names, addresses, phone numbers, passport numbers, and nationality and disability information. The university confirmed the breach.
Oracle’s guidance is to disable the Environment Management Hub service in a multi-server setup, or to remove the PSEMHUB application directly from a single-server setup. If you can’t do either, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector in the circuit.
Mandiant warns that the WAF’s physical inspection rules alone are not enough, as they can be overridden. Limiting these endpoints does not violate normal user sessions.
Then hunt for signs of conformity:
- WebLogic access logs show external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector.
- Unexpected jsp files under the PSEMHUB.war web application directory, or unusual folders named logs, persistent storage, or scratchpad under PSEMHUB paths.
- Recently changed .xml files under envmetadata/data/environment of the web doc root, may be abused due to persistent XMLDecoder burning on next reboot.
- Outbound SMB traffic on port 445 from PeopleSoft hosts to external hosts, which a series of exploits can use to capture machine account NetNTLM account hashes.
Apply for an Oracle update for your version of PeopleTools once you’ve confirmed it is available in My Oracle Support.
ShinyHunters says outreach to victims is just beginning, and it hasn’t posted many of the organizations it names, so there are likely to be more names.
The way is the biggest to tell. ShinyHunters recently relied on vishing, stolen tokens, and weak access controls to steal data from SaaS and education platforms, from Salesforce customers to Canvas. Server-side zero-day on-premises ERP software is a step away from that, with data-rich targets.
The open question is whether this was one day of zero credit or the start of ShinyHunters’ move to ERP exploitation.
