top of page

ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach 100+ Universities Worldwide

  • Jun 11
  • 3 min read

Key Findings


  • ShinyHunters exploited CVE-2026-35273, a zero-day remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools rated 9.8/10, to breach over 100 organizations between May 27 and June 9

  • The vulnerability required only network access over HTTP with no authentication or user interaction, affecting any organization with Environment Management Hub endpoints exposed externally

  • Approximately 68 percent of affected organizations were in higher education, predominantly in the United States

  • Google Mandiant attributes the campaign to threat actor UNC6240 and confirmed active exploitation in the wild

  • Oracle did not publish its advisory until June 10, making this a true zero-day throughout the entire attack window

  • University of Nottingham confirmed as first public victim with approximately 455,000 unique email addresses compromised, including sensitive personal data such as passport numbers and disability information

  • Attackers left staging infrastructure exposed, revealing custom MeshCentral agents disguised as Microsoft Azure binaries and lateral movement tools


Background


ShinyHunters has established itself as a data theft and extortion group targeting SaaS platforms and educational institutions. Their typical approach relies on vishing, stolen tokens, and weak access controls. This Oracle PeopleSoft campaign represents a significant escalation in sophistication, moving from cloud-based targets to on-premises enterprise resource planning software. The group operates a public leak site where they post stolen data from victims who refuse to pay extortion demands.


Vulnerability Details


CVE-2026-35273 affects Oracle PeopleTools versions 8.61 and 8.62, with earlier unsupported versions likely vulnerable as well. The flaw exists in the Updates Environment Management component, specifically within the piece that powers the Environment Management Hub. The vulnerability requires network access to HTTP endpoints and permits complete remote code execution without any form of authentication. Organizations running PeopleSoft with PSEMHUB reachable from outside their networks face immediate exposure.


Attack Infrastructure


Researchers discovered five sequential IP addresses running Python SimpleHTTP servers on port 8888, exposing the attackers' staging files. The infrastructure included custom MeshCentral remote management agents cleverly disguised as Microsoft Azure binaries, which communicated with a command-and-control server at azurenetfiles.net, a domain designed to mimic legitimate Azure NetApp Files services. The attackers' shared bash history revealed extensive reconnaissance activities, including SSL certificate provisioning for their fake domain and systematic mapping of internal network configurations.


Lateral Movement and Data Exfiltration


The attackers deployed a custom shell script named after each victim for lateral movement across internal networks. This script sprayed hardcoded usernames and passwords against internal hosts extracted from system files, then dropped a marker file reading README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. Stolen data was compressed using zstd compression before being transmitted via SSH to servers hosting the ShinyHunters leak site. The command history showed the group conducted extensive network reconnaissance, including WebLogic configuration inspection and active mount auditing.


Targeting and Impact


Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. The higher education sector represented 68 percent of affected organizations, with the majority located in the United States. Some institutions successfully blocked the activity, while others suffered complete compromise with data subsequently posted to the leak site. University of Nottingham stands as the first publicly confirmed victim, with the breach exposing current students and alumni data including names, addresses, phone numbers, passport numbers, and information regarding ethnicity and disabilities.


Mitigation Guidance


Organizations should immediately disable the Environment Management Hub service on multi-server PeopleSoft installations or remove the PSEMHUB application entirely on single-server setups. If neither option is feasible, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter. Mandiant emphasizes that web application firewall body-inspection rules alone cannot prevent exploitation. These restrictions do not impact normal user sessions.


Detection and Hunting


Organizations should search WebLogic access logs for external POST requests to vulnerable endpoints and examine the PSEMHUB.war directory for unexpected JSP files. Watch for odd folders named logs, persistantstorage, or scratchpad under PSEMHUB paths. Inspect recently modified XML files under envmetadata/data/environment, which attackers can abuse for persistence. Monitor for unexpected outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, as the exploit chain may use this to capture machine-account NetNTLM hashes.


Future Outlook


ShinyHunters indicated that victim outreach has only begun, suggesting many more compromised organizations will be publicly named. The group has not yet posted data from most organizations it claims to have breached. The key question remains whether this represents a one-time borrowed zero-day or signals ShinyHunters' shift toward targeting on-premises ERP systems alongside their traditional SaaS and education platforms.


Sources


  • https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html

  • https://securityonline.info/shinyhunters-oracle-peoplesoft-exploit/

  • https://www.reddit.com/r/SecOpsDaily/comments/1u3bh5x/shinyhunters_exploits_oracle_peoplesoft_zeroday

  • https://www.socdefenders.ai/item/705eba93-ad81-4817-b729-38ad01adf9ad

  • https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page