Oracle PeopleSoft Zero-Day Exploited by ShinyHunters in Data Theft Attacks

Oracle has warned customers about a critical PeopleSoft vulnerability that was exploited as a zero-day in attacks tied to ShinyHunters. The flaw is tracked as CVE-2026-35273 and affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.

The vulnerability allows unauthenticated remote code execution over HTTP. The NVD entry gives it a CVSS 3.1 score of 9.8 and says successful exploitation can result in takeover of PeopleSoft Enterprise PeopleTools.

Mandiant and Google Threat Intelligence Group said they identified an active compromise and extortion campaign targeting PeopleSoft application infrastructure. The activity was observed between May 27 and June 9, 2026, before Oracle released its advisory, which is why the flaw was exploited as a zero-day.

PeopleSoft attacks focused on PSEMHUB endpoints

The attacks targeted the Environment Management component, including Environment Management Hub, also known as PSEMHUB. In its technical report, Mandiant and GTIG said the observed exploitation directly aligned with targeting of PSEMHUB endpoints.

PeopleSoft is used by large organizations to manage business systems such as human resources, finance, supply chain operations, and student administration. Reuters reported that Google notified more than 100 organizations whose IP addresses matched potentially vulnerable endpoints, with 68% in higher education.

The campaign was attributed to UNC6240, also known as ShinyHunters. The group has a history of data theft and extortion, and this campaign led to stolen data being published on the ShinyHunters data leak site on June 9.

Vulnerability	Affected product	Severity	Attack requirements	Impact
CVE-2026-35273	Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62	Critical, CVSS 9.8	No authentication, network access over HTTP	Remote code execution and possible takeover

Attackers used MeshCentral agents disguised as Azure tools

Google said the attackers used five staging IP addresses, from 142.11.200.186 through 142.11.200.190. These systems hosted Python SimpleHTTP servers on port 8888 and exposed staging files, command history, and customized MeshCentral agents.

The Windows MeshCentral agents used file names that looked like legitimate Microsoft Azure services, including meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe. They were configured to communicate with azurenetfiles.net, a domain chosen to resemble an Azure-related service.

The attackers also used MeshCentral command-line tooling to run commands on compromised systems. Their command history showed PeopleSoft reconnaissance, including checks against psappsrv.cfg, NFS mounts, and WebLogic config.xml files.

Lateral movement and extortion followed the initial compromise

After gaining access, the attackers deployed a script named [victim_abbreviation]_fanout.sh to /tmp. Google said the script automated SSH credential spraying against internal hosts listed in /etc/hosts.

If the script found valid credentials, it copied an extortion marker named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories. This made the attack more than a simple vulnerability scan.

The attackers compressed stolen data with zstd and connected to infrastructure linked to the ShinyHunters data leak site. Reuters also reported that Google tied the campaign to ShinyHunters and said the activity took place before Oracle’s patch was available.

Higher education was the main target

Google said most of the more than 100 notified organizations were based in the United States, and 68% were in the higher education sector. Universities can be attractive targets because PeopleSoft systems may hold student, staff, payroll, financial aid, and identity data.

The University of Nottingham was one publicly reported victim. ITPro reported that personal data belonging to about 450,000 current and former students was accessed, while ShinyHunters claimed it had obtained more than 40GB of data.

Public reports said the exposed information may include names, contact details, course records, student and staff IDs, financial information, and national insurance numbers. The university said it took affected systems offline after detecting the incident and contacted affected students and alumni.

What defenders should check first

The fastest priority is to apply Oracle’s fix or mitigation for PeopleSoft PeopleTools 8.61 and 8.62. Organizations should also determine whether PSEMHUB endpoints were reachable from the internet before June 10.

Google recommends disabling the EMHub service in multi-server configurations or removing the PSEMHUB application in single-server configurations where appropriate. If that cannot be done, organizations should block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector.

• Apply Oracle’s security alert guidance for affected PeopleTools versions.
• Block external access to /PSEMHUB/*, especially /PSEMHUB/hub.
• Block or restrict /PSIGW/HttpListeningConnector from untrusted networks.
• Search PIA WebLogic access logs for suspicious POST requests to PSEMHUB and PSIGW endpoints.
• Scan PSEMHUB directories for unexpected JSP files, staging files, and new XML files.
• Review outbound SMB traffic from PeopleSoft hosts to external destinations.

Key indicators linked to the campaign

Security teams should compare logs, endpoint telemetry, proxy data, and firewall records against the indicators disclosed by Google. These indicators should support hunting, but they should not replace broader forensic review.

Indicator	Type	Why it matters
142.11.200.186 to 142.11.200.190	IP addresses	Attacker staging infrastructure
azurenetfiles.net	Domain	MeshCentral command and control domain
meshagent64-azure-ops.exe	File name	Disguised Windows MeshCentral agent
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT	File name	Extortion marker placed in PeopleSoft-related directories
[victim_abbreviation]_fanout.sh	Script name pattern	Lateral movement and propagation script

CISA added the flaw to its known exploited list

The NVD record shows that CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities catalog on June 12, 2026. That confirms federal-level tracking of active exploitation risk.

Because this flaw can be exploited without authentication, exposed PeopleSoft systems should receive urgent attention. Organizations should not wait for evidence of data theft before applying the advisory and checking logs.

Google’s report also warns that relying only on WAF body-inspection rules is not enough, since the relevant controls can be bypassed. Network restrictions and direct mitigation of the vulnerable component matter more.

PeopleSoft customers should act immediately

Oracle says the vulnerability is remotely exploitable without authentication and may lead to remote code execution. The company strongly recommends immediate action and says customers should stay on actively supported versions with Critical Patch Updates, Critical Security Patch Updates, and Security Alerts applied without delay.

Organizations should also treat any exposed PSEMHUB or PSIGW access during the attack window as a reason for deeper investigation. This includes reviewing web-tier file changes, access logs, outbound network traffic, SSH activity, and signs of MeshCentral agent deployment.

The Reuters report shows that the campaign had already reached a large group of potential victims before public disclosure. The Nottingham case shows why universities and other data-rich organizations should move quickly from patching to incident review.

FAQ