Data Breach

ShinyHunters exploits Oracle PeopleSoft zero‑day (CVE‑2026‑35273) to breach universities

JutsuJutsu4 min read
ShinyHunters universities breach

ShinyHunters is abusing an unpatched Oracle PeopleSoft flaw to break into enterprise systems, steal data, and extort victims. Universities took the brunt of it.

What happened

Google’s Mandiant attributes the campaign to UNC6240 with activity from May 27 to June 9. Oracle didn’t publish its advisory until June 10, which means this was a zero‑day window the entire time. Mandiant CTO Charles Carmakal confirmed in-the-wild exploitation; Oracle has not said whether it has observed exploitation.

The vulnerability

CVE-2026-35273 is a remote code execution bug in PeopleSoft Enterprise PeopleTools, rated 9.8 out of 10. It requires no authentication and no user interaction—just HTTP network access—to take over the server. If your Environment Management Hub (PSEMHUB) is internet-reachable, you’re exposed. Lock it down immediately.

The bug sits in the Updates Environment Management component behind PSEMHUB. Oracle lists PeopleTools 8.61 and 8.62 as affected and notes earlier, unsupported versions are likely vulnerable as well. The report is credited to researchers from TrendAI Zero Day Initiative and TrendAI Research.

How the intrusion ran

Operational details surfaced because the attackers left infrastructure open. Researcher @nahamike01 flagged exposed directories; Mandiant then triaged five sequential IPs running Python’s SimpleHTTP server on port 8888. Those servers hosted staging material: a shared .bash_history, custom MeshCentral remote‑management agents disguised as Microsoft Azure binaries, and a lateral‑movement script.

The agents called back to azurenetfiles.net—named to resemble Azure NetApp Files. A script named [victim]_fanout.sh spread via SSH by spraying a hardcoded list of usernames and passwords against internal hosts enumerated from /etc/hosts, then dropped a marker file, README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT, into PeopleSoft directories. Command history showed data compressed with zstd and an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.

Impact so far

Mandiant notified more than 100 organizations with IPs matching vulnerable endpoints. Sixty‑eight percent were in higher education, most in the U.S. Some blocked the activity; others were compromised and had data posted to the leak site.

The University of Nottingham is a confirmed victim. Have I Been Pwned counted about 455,000 unique email addresses in the leaked data, covering current students and alumni, including names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.

Mitigate now

Oracle’s current guidance focuses on restriction and removal:

  • Disable the Environment Management Hub service on multi‑server setups, or remove the PSEMHUB application outright on single‑server setups.
  • If you can’t do either, block external access at the perimeter to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector.

Mandiant warns WAF body‑inspection rules alone are insufficient and can be bypassed. Restricting these endpoints does not break normal user sessions.

Hunt for compromise

Search for these signals now:

  • WebLogic access logs showing external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector.
  • Unexpected .jsp files under the PSEMHUB.war web application directory, or odd folders named logs, persistantstorage, or scratchpad under PSEMHUB paths.
  • Recently changed .xml files under the web doc root’s envmetadata/data/environment (can enable XMLDecoder persistence on next restart).
  • Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations (possible capture of machine‑account NetNTLM hashes in the exploit chain).

Apply Oracle’s update for your PeopleTools version once you confirm it’s available in My Oracle Support.

Why this matters

ShinyHunters says victim outreach has only just started and most claimed organizations are not yet listed, so more names are likely. The bigger signal is the tradecraft: the group has recently leaned on vishing, stolen tokens, and weak access controls to loot SaaS and education platforms—from Salesforce customers to Canvas. A server‑side zero‑day in on‑prem ERP is a step up, aimed at the same data‑rich targets. Open question: a one‑off borrowed zero‑day—or the start of sustained ERP exploitation?

Reference: View article