The ShinyHunters extortion team exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. This campaign affected the universities the most.
Google’s Mandiant attributes the group it tracks as UNC6240, and dates the activity to between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was zero-day the entire time.
The flaw, CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools, rated 9.8 out of 10. It requires no login and no user interaction, just network access over HTTP to take over the server. If you run PeopleSoft with an externally accessible environment management hub, that’s your risk, and the immediate step is to lock down those endpoints.
The Vulnerability Update Environment Management component is the driving force behind the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools 8.61 and 8.62 as affected and previously said, unsupported versions are also potentially vulnerable. It credits researchers from the TrendAI Zero Day Initiative and TrendAI Research for the report.
Mandiant CTO Charles Carmakal confirmed that the bug is being exploited in the wild; Oracle has not said whether it has noticed the exploit. Its advice points to a patch availability document behind the support login, and whether the full fix is widely available is unclear. For now, the guidance focuses on mitigation.
Operational details became public because the attackers left their gear out in the open. Researcher @nahamike01 marked the directories as publicly open. Mandiant then tested five sequential IP addresses running Python’s SimpleHTTP server on port 8888. Those servers exposed staging files: a shared .bash_history, a custom MeshCentral remote-management agent disguised as Microsoft Azure binaries, and a lateral-movement script.
The agents called a command-and-control server at azurenetfiles.net, a domain that was chosen to look like Azure NetApp Files. script named [victim]_fanout.sh propagates over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then dropping a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. The command history shows data compressed with zstd and outbound SSH connections to the server hosting the public mirror of the ShinyHunters leak site.
Mandiant notified more than 100 organizations whose IP addresses matched the vulnerable endpoints. Sixty-eight percent were in higher education, most of them in the United States. Some blocked activity; Others were compromised and their data was posted on the leaked site.
The University of Nottingham is one of the first confirmed victims. Have I Been Pwned counted approximately 455,000 unique email addresses in the leaked set, which included names, addresses, phone numbers, passport numbers and details of ethnicity and disabilities of current students and alumni. The university has confirmed the violation.
Oracle’s guidance is to disable the Environment Management Hub service on multi-server setups, or completely remove the PSEMHUB application on single-server setups. If you can’t do this, block external access to /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector on the perimeter.
Mandiant warns that WAF body-inspection rules alone are not enough, as they can be circumvented. Restricting these endpoints does not break normal user sessions.
Then look for signs of existing agreement:
- WebLogic access logs show external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector.
- Unexpected .jsp files under the PSEMHUB.war web application directory, or strange folders called Log, PersistentStorage, or Scratchpad under PSEMHUB paths.
- Recently changed .xml files under envmetadata/data/environment of the web doc root, which can be abused for XMLDecoder persistence that activates on next restart.
- Outbound SMB traffic on port 445 from the PeopleSoft host to external destinations, which the exploit chain can use to capture machine-account NetNTLM hashes.
Apply the update to Oracle for your PeopleTools version once you confirm it is available in My Oracle Support.
ShinyHunters says outreach to victims is just beginning, and it hasn’t posted most of the organizations it claims, so more names are likely.
Method is the biggest thing. ShinyHunters have recently resorted to vishing, stolen tokens, and weak access controls to steal data from SaaS and education platforms ranging from Salesforce customers to Canvas. Server-side zero-day is a step up from that in on-premises ERP software, aiming for the same data-rich goals.
The open question is whether this was a one-time borrowed zero-day or the beginning of ShinyHunters’ move toward ERP exploitation.
