The cybercriminal group ShinyHunters has been actively exploiting a critical vulnerability in Oracle PeopleSoft, a widely used enterprise resource planning (ERP) system. This zero-day exploit, identified as CVE-2026-35273, allows attackers to gain unauthorized access, exfiltrate sensitive data, and then demand ransom payments to prevent its public release. The campaign has disproportionately impacted universities, with a significant number of educational institutions falling victim to this sophisticated attack.
Initial insights into this operation come from Google’s Mandiant, which attributes the activity to a group it tracks as UNC6240. The observed malicious actions spanned from May 27 to June 9, preceding Oracle’s official advisory on the flaw, which was published on June 10. This timeline indicates that the vulnerability was exploited as a zero-day by attackers throughout the engagement.
Oracle PeopleSoft Vulnerability Exploited by ShinyHunters
The critical flaw, CVE-2026-35273, is a remote code execution (RCE) vulnerability within PeopleSoft Enterprise PeopleTools. Rated with a severe CVSS score of 9.8 out of 10, this exploit requires no user authentication or interaction. Its primary prerequisite is network accessibility over HTTP, enabling attackers to compromise the targeted server remotely. Organizations utilizing PeopleSoft with an exposed Environment Management Hub (PSEMHUB) are particularly at risk, necessitating immediate action to secure these endpoints.
This vulnerability resides in the Updates Environment Management component, which underpins the Environment Management Hub. Oracle’s advisories indicate that PeopleTools versions 8.61 and 8.62 are affected, with older, unsupported versions likely also susceptible. The discovery and initial report of this flaw are credited to researchers from TrendAI Zero Day Initiative and TrendAI Research.
Mandiant CTO Charles Carmakal has confirmed that the vulnerability is being actively exploited in real-world scenarios. While Oracle has not yet confirmed widespread exploitation attempts on their end, their guidance points towards mitigation strategies as a full patch resolution may not be immediately accessible to all customers. The advisory directs users to a patch availability document accessible via a support login.
Attack Method and Infrastructure Revealed
The operational details of the ShinyHunters campaign were brought to light due to oversights by the attackers themselves, who inadvertently exposed their infrastructure. Security researcher @nahamike01 first flagged open directory access, prompting Mandiant’s deeper investigation. Mandiant identified a series of five sequential IP addresses hosting Python’s SimpleHTTP server on port 8888, which served as staging grounds for the attackers’ tools.
These servers contained staging files including a shared .bash_history log, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a script designed for lateral movement within compromised networks. The command-and-control (C2) server for these agents was hosted at azurenetfiles.net, a domain chosen to impersonate Microsoft’s Azure NetApp Files service. The lateral movement script, named `[victim]_fanout.sh`, leveraged SSH to spread across internal systems by attempting to log in with a hardcoded list of usernames and passwords. Upon successful infiltration, it would drop a file named `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT` into PeopleSoft directories. Analysis of the command history revealed that the exfiltrated data was compressed using zstd and then transferred via SSH to the server hosting the public mirror of the ShinyHunters leak site.
Impact on Universities and Data Exfiltration
Mandiant proactively notified over 100 organizations whose IP addresses indicated vulnerable PeopleSoft endpoints. A striking 68% of these were identified as higher education institutions, predominantly located in the United States. While some organizations successfully blocked the malicious activity, others were compromised, leading to their data being posted on the ShinyHunters leak site.
The University of Nottingham is among the first confirmed victims of this breach. Data recovered from the leak site, as documented by Have I Been Pwned, includes approximately 455,000 unique email addresses belonging to current students and alumni. The exfiltrated information reportedly contains names, addresses, phone numbers, passport details, and sensitive personal information such as ethnicity and disability status. The university has officially confirmed the breach.
Mitigation and Detection Strategies
Oracle’s recommended mitigation steps include disabling the Environment Management Hub service on multi-server PeopleSoft deployments. For single-server configurations, the advice is to remove the PSEMHUB application entirely. If these actions are not feasible, organizations are urged to block external access to the `/PSEMHUB/*` (specifically `/PSEMHUB/hub`) and `/PSIGW/HttpListeningConnector` URL paths at their network perimeter. Mandiant cautions that Web Application Firewall (WAF) body-inspection rules alone may not be sufficient, as they can be bypassed.
Crucially, these mitigation measures are designed not to disrupt normal user sessions. Organizations are also advised to conduct thorough hunts for signs of existing compromise. Indicators of compromise include WebLogic access logs showing suspicious external POST requests to the aforementioned vulnerable endpoints, unexpected `.jsp` files within the PSEMHUB.war directory, or unusual folders like `logs`, `persistantstorage`, or `scratchpad` under PSEMHUB paths. Additionally, recently modified `.xml` files in `envmetadata/data/environment` could indicate the use of XMLDecoder for persistence, which would activate upon the next system restart. Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations might also signal an attempt to capture machine-account NetNTLM hashes.
Prompt application of Oracle’s official update for the relevant PeopleTools version, once confirmed available on My Oracle Support, is the definitive solution once initial mitigations are in place.
ShinyHunters’ Evolving Tactics and Future Concerns
ShinyHunters has indicated that victim outreach has recently commenced, and the majority of implicated organizations have not yet had their data publicly disclosed, suggesting more announcements are likely. The group’s operational history highlights a recent trend of leveraging vishing, stolen authentication tokens, and weak access controls to compromise SaaS and educational platforms, including Salesforce and Canvas.
The exploitation of a server-side zero-day in an on-premises ERP system like Oracle PeopleSoft represents a significant escalation in the group’s attack methodology, targeting the same highly valuable data repositories. The key question remains whether this incident was a singular event involving a borrowed or acquired zero-day exploit, or if it signifies ShinyHunters’ strategic shift towards more complex ERP exploitation. The ongoing development of their attack vectors warrants continuous monitoring and proactive defense by organizations relying on critical business systems.