# ShinyHunters Exploits Oracle PeopleSoft Zero-Day

> Source: [https://botensten.com/articles/shinyhunters-oracle-peoplesoft-zero-day](https://botensten.com/articles/shinyhunters-oracle-peoplesoft-zero-day) (canonical)
> Author: iCharles News — Botensten, https://botensten.com
> Published: 2026-06-12

## TL;DR

ShinyHunters exploited CVE-2026-35273, a CVSS 9.8 zero-day in Oracle PeopleSoft, between May 27 and June 9, 2026 — before Oracle published its advisory on June 10. The group, tracked by Google's Mandiant as UNC6240, breached more than 100 organizations. Sixty-eight percent of confirmed victims were in higher education. The University of Nottingham is among the first confirmed victims, with about 455,000 unique email addresses exposed.

## What happened with the Oracle PeopleSoft zero-day attack?

ShinyHunters exploited CVE-2026-35273, a critical unpatched flaw in Oracle PeopleSoft, to breach more than 100 organizations between May 27 and June 9, 2026. Oracle did not publish its advisory until June 10, meaning the bug was a zero-day for the entire campaign. Google's Mandiant attributes the activity to the group it tracks as UNC6240, [according to The Hacker News](https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html).

## What is CVE-2026-35273?

**CVE-2026-35273** is a remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools — the application framework that underpins PeopleSoft ERP deployments. It carries a CVSS score of 9.8 out of 10. It requires no login and no user interaction. An attacker needs only network access over HTTP to take over the server.

The flaw sits in the Updates Environment Management component, which powers the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools versions 8.61 and 8.62 as affected and notes that earlier, unsupported versions are likely vulnerable too.

## Who did ShinyHunters target?

Sixty-eight percent of the more than 100 notified organizations were in higher education, most of them in the United States. ShinyHunters claims compromise of approximately 300 systems across cloud and on-premises environments, [per Field Effect's analysis](https://fieldeffect.com/blog/shinyhunters-oracle-peoplesoft-campaign).

**PeopleSoft** is an enterprise resource planning (ERP) platform used to manage sensitive data across finance, human resources, supply chain, and academic administration. That concentration of high-value data made it a primary target. Reported stolen data includes student records, financial aid data, health information, and administrative data.

## What happened at the University of Nottingham?

The University of Nottingham is one of the first confirmed victims. Have I Been Pwned counted about 455,000 unique email addresses in the leaked dataset. The records cover current students and alumni and include names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.

## How did ShinyHunters operate?

The attackers left their own infrastructure exposed. Researcher @nahamike01 publicly flagged open directories. Mandiant then identified five sequential IP addresses running Python's SimpleHTTP server on port 8888.

Those servers exposed staging files: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script. The agents called home to a command-and-control server at **azurenetfiles.net**, a domain chosen to resemble Azure NetApp Files.

A script named `[victim]_fanout.sh` spread over SSH by spraying hardcoded usernames and passwords against internal hosts pulled from `/etc/hosts`. It then dropped a file named `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT` into PeopleSoft directories. Stolen data was compressed with zstd and sent out over SSH to a server hosting the ShinyHunters leak site mirror.

## What should PeopleSoft administrators do right now?

Oracle's guidance is to disable the Environment Management Hub service on multi-server setups, or remove the PSEMHUB application on single-server setups. If neither is possible, block external access to `/PSEMHUB/*` (especially `/PSEMHUB/hub`) and `/PSIGW/HttpListeningConnector` at the perimeter.

Mandiant warns that WAF body-inspection rules alone are not sufficient, as they can be bypassed. Restricting these endpoints does not break normal user sessions.

Administrators should also hunt for signs of existing compromise, including:

- External POST requests to `/PSEMHUB/hub` or `/PSIGW/HttpListeningConnector` in WebLogic access logs
- Unexpected `.jsp` files under the PSEMHUB.war directory
- Recently changed `.xml` files under `envmetadata/data/environment`, which can be abused for XMLDecoder persistence
- Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations

Once Oracle's patch is confirmed available in My Oracle Support for your PeopleTools version, apply it. Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild. Oracle has not stated whether it has independently observed exploitation.

ShinyHunters has stated that victim outreach has only just started and that it has not yet posted data for most of the organizations it claims to have compromised.

<!--il:v1-->

## Frequently asked questions

**What is CVE-2026-35273 and how severe is it?**

CVE-2026-35273 is a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. It has a CVSS score of 9.8 out of 10. It requires no authentication and no user interaction — only network access over HTTP. Affected versions include PeopleTools 8.61 and 8.62, and Oracle says earlier unsupported versions are likely vulnerable too.

**Which organizations were affected by the ShinyHunters PeopleSoft campaign?**

ShinyHunters claims to have compromised more than 100 organizations and approximately 300 systems. Sixty-eight percent of victims were in higher education, most in the United States. The University of Nottingham is one confirmed victim, with about 455,000 unique email addresses exposed in the leaked dataset.

**Was CVE-2026-35273 a zero-day when ShinyHunters exploited it?**

Yes. The campaign ran from May 27 to June 9, 2026. Oracle did not publish its security advisory until June 10, 2026, meaning the flaw was unpatched and publicly unknown for the entire duration of the attacks.

**What data was stolen in the University of Nottingham breach?**

Have I Been Pwned counted about 455,000 unique email addresses in the leaked set. The data covers current students and alumni and includes names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.

**How can organizations detect if they were already compromised?**

Administrators should check WebLogic access logs for external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector, look for unexpected .jsp files under the PSEMHUB.war directory, check for recently changed .xml files under envmetadata/data/environment, and monitor for outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations.
