ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach 100+ Universities Worldwide
- Jun 11
- 3 min read
Key Findings
ShinyHunters exploited CVE-2026-35273, a zero-day remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools rated 9.8/10, to breach over 100 organizations between May 27 and June 9
The vulnerability required only network access over HTTP with no authentication or user interaction, affecting any organization with Environment Management Hub endpoints exposed externally
Approximately 68 percent of affected organizations were in higher education, predominantly in the United States
Google Mandiant attributes the campaign to threat actor UNC6240 and confirmed active exploitation in the wild
Oracle did not publish its advisory until June 10, making this a true zero-day throughout the entire attack window
University of Nottingham confirmed as first public victim with approximately 455,000 unique email addresses compromised, including sensitive personal data such as passport numbers and disability information
Attackers left staging infrastructure exposed, revealing custom MeshCentral agents disguised as Microsoft Azure binaries and lateral movement tools
Background
ShinyHunters has established itself as a data theft and extortion group targeting SaaS platforms and educational institutions. Their typical approach relies on vishing, stolen tokens, and weak access controls. This Oracle PeopleSoft campaign represents a significant escalation in sophistication, moving from cloud-based targets to on-premises enterprise resource planning software. The group operates a public leak site where they post stolen data from victims who refuse to pay extortion demands.
Vulnerability Details
CVE-2026-35273 affects Oracle PeopleTools versions 8.61 and 8.62, with earlier unsupported versions likely vulnerable as well. The flaw exists in the Updates Environment Management component, specifically within the piece that powers the Environment Management Hub. The vulnerability requires network access to HTTP endpoints and permits complete remote code execution without any form of authentication. Organizations running PeopleSoft with PSEMHUB reachable from outside their networks face immediate exposure.
Attack Infrastructure
Researchers discovered five sequential IP addresses running Python SimpleHTTP servers on port 8888, exposing the attackers' staging files. The infrastructure included custom MeshCentral remote management agents cleverly disguised as Microsoft Azure binaries, which communicated with a command-and-control server at azurenetfiles.net, a domain designed to mimic legitimate Azure NetApp Files services. The attackers' shared bash history revealed extensive reconnaissance activities, including SSL certificate provisioning for their fake domain and systematic mapping of internal network configurations.
Lateral Movement and Data Exfiltration
The attackers deployed a custom shell script named after each victim for lateral movement across internal networks. This script sprayed hardcoded usernames and passwords against internal hosts extracted from system files, then dropped a marker file reading README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. Stolen data was compressed using zstd compression before being transmitted via SSH to servers hosting the ShinyHunters leak site. The command history showed the group conducted extensive network reconnaissance, including WebLogic configuration inspection and active mount auditing.
Targeting and Impact
Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. The higher education sector represented 68 percent of affected organizations, with the majority located in the United States. Some institutions successfully blocked the activity, while others suffered complete compromise with data subsequently posted to the leak site. University of Nottingham stands as the first publicly confirmed victim, with the breach exposing current students and alumni data including names, addresses, phone numbers, passport numbers, and information regarding ethnicity and disabilities.
Mitigation Guidance
Organizations should immediately disable the Environment Management Hub service on multi-server PeopleSoft installations or remove the PSEMHUB application entirely on single-server setups. If neither option is feasible, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter. Mandiant emphasizes that web application firewall body-inspection rules alone cannot prevent exploitation. These restrictions do not impact normal user sessions.
Detection and Hunting
Organizations should search WebLogic access logs for external POST requests to vulnerable endpoints and examine the PSEMHUB.war directory for unexpected JSP files. Watch for odd folders named logs, persistantstorage, or scratchpad under PSEMHUB paths. Inspect recently modified XML files under envmetadata/data/environment, which attackers can abuse for persistence. Monitor for unexpected outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, as the exploit chain may use this to capture machine-account NetNTLM hashes.
Future Outlook
ShinyHunters indicated that victim outreach has only begun, suggesting many more compromised organizations will be publicly named. The group has not yet posted data from most organizations it claims to have breached. The key question remains whether this represents a one-time borrowed zero-day or signals ShinyHunters' shift toward targeting on-premises ERP systems alongside their traditional SaaS and education platforms.
Sources
https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
https://securityonline.info/shinyhunters-oracle-peoplesoft-exploit/
https://www.reddit.com/r/SecOpsDaily/comments/1u3bh5x/shinyhunters_exploits_oracle_peoplesoft_zeroday
https://www.socdefenders.ai/item/705eba93-ad81-4817-b729-38ad01adf9ad
https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443

Comments