Nissan Confirms Employee Data Breach After Oracle PeopleSoft Zero-Day Attacks
Nissan North America has confirmed a data breach involving employee information after attackers exploited a critical Oracle PeopleSoft vulnerability in a broader zero-day campaign.
The breach notice filed with the California Attorney General’s Office lists Nissan North America Inc. as the organization and places the known breach period between May 27, 2026, and June 9, 2026.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign is tied to Oracle’s CVE-2026-35273 security alert, which covers a critical flaw in PeopleSoft Enterprise PeopleTools. Oracle released its advisory on June 10, 2026, after attackers had already used the bug in real-world intrusions.
Nissan says employee records may have been exposed
Nissan Americas uses Oracle PeopleSoft to manage employee information, including payroll, tax administration, and personnel records. The company said Oracle informed it that a cyber event may have exposed personnel records from hundreds of companies.
According to BleepingComputer, Nissan later learned that it was specifically targeted in the campaign. The company said its investigation remains in the early stages.
The incident is believed to affect current and former Nissan employees in the United States, Canada, Mexico, and Brazil. The company has not publicly confirmed the total number of people affected.
| Item | Confirmed detail |
|---|---|
| Company | Nissan North America Inc. |
| Software involved | Oracle PeopleSoft PeopleTools |
| Vulnerability | CVE-2026-35273 |
| Known breach dates | May 27, 2026, to June 9, 2026 |
| Potentially affected people | Current and former employees in the U.S., Canada, Mexico, and Brazil |
| Campaign attribution | Mandiant and Google Threat Intelligence Group attribute the broader campaign to UNC6240, also known as ShinyHunters |
What information may have been involved
Nissan said the exposed information may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent or beneficiary information.
The company said it activated incident response procedures, hired outside cybersecurity specialists, secured affected systems, and worked with Oracle to address the issue.
Nissan also said it would offer free credit monitoring and dark web monitoring where available. The company is restricting access to pay slips and direct deposit changes to corporate network computers or secure VPN connections while adding identity checks for payroll requests.
- Employee contact information
- Banking information
- Social Security numbers
- Social Insurance Numbers
- National Identification Numbers
- Financial and tax information
- Dependent and beneficiary information
CVE-2026-35273 affects Oracle PeopleSoft PeopleTools
The flaw behind the wider campaign is tracked as CVE-2026-35273. The National Vulnerability Database rates it as a critical 9.8 vulnerability affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.
The vulnerability sits in the Updates Environment Management component. Oracle says it can be exploited remotely without authentication and may allow remote code execution.
That combination makes the issue especially serious for exposed PeopleSoft systems. Attackers do not need valid credentials or user interaction if they can reach a vulnerable endpoint over the network.
| CVE detail | Value |
|---|---|
| CVE ID | CVE-2026-35273 |
| CVSS score | 9.8 critical |
| Affected product | Oracle PeopleSoft Enterprise PeopleTools |
| Affected versions | 8.61 and 8.62 |
| Component | Updates Environment Management |
| Attack vector | Network access over HTTP |
| Authentication required | No |
| Possible impact | Takeover of PeopleSoft Enterprise PeopleTools |
Oracle issued an emergency security alert
Oracle published the PeopleSoft security alert on June 10, 2026. The company urged customers to take immediate action and apply the recommended mitigations.
The flaw later appeared in CISA’s Known Exploited Vulnerabilities catalog, which means U.S. authorities have evidence of active exploitation.
The NVD entry also references CISA’s action and confirms the affected PeopleTools versions. Organizations running PeopleSoft should treat this as an emergency patching and compromise-assessment event, not only a routine update.
Mandiant links the campaign to ShinyHunters
Mandiant and Google Threat Intelligence Group tracked the broader campaign as UNC6240, also known as ShinyHunters. The Mandiant report said the activity was observed between May 27 and June 9, 2026.
That timing is important because it predates Oracle’s June 10 advisory. Mandiant said the vulnerability was exploited as a zero-day because defenders did not yet have the public advisory or mitigation guidance.
Mandiant also said it notified more than 100 organizations whose IP addresses matched potentially vulnerable endpoints. Most were in the United States, and 68% operated in higher education.
Attackers used MeshCentral agents and fake Azure branding
The campaign used customized MeshCentral agents disguised as legitimate cloud-related files. Mandiant said the attackers staged Windows agent binaries with names such as meshagent64-azure-ops.exe and configured them to connect to azurenetfiles[.]net.
MeshCentral is a legitimate remote management tool, but attackers can abuse such tools to run commands, move laterally, and maintain control over compromised hosts.
The attackers also used command histories, staging directories, and scripts to map PeopleSoft configurations, inspect internal files, and move through environments after the initial compromise.
| Indicator type | Indicator | Description |
|---|---|---|
| IP range | 142.11.200[.]186 to 142.11.200[.]190 | Staging infrastructure observed by Mandiant |
| Domain | azurenetfiles[.]net | C2 domain chosen to resemble Microsoft Azure NetApp Files branding |
| URL path | /PSEMHUB/hub | PeopleSoft endpoint defenders should check in logs |
| URL path | /PSIGW/HttpListeningConnector | Endpoint tied to SSRF-style exploitation checks |
| Filename | meshagent64-azure-ops.exe | Preconfigured Windows MeshCentral agent |
| Filename | README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Extortion marker file observed in the campaign |
| Archive format | .tar.zst | Data compressed with zstd during exfiltration activity |
Why PeopleSoft attacks can cause major damage
PeopleSoft systems often hold payroll, tax, HR, finance, supply-chain, and administrative data. A breach can expose both sensitive personal information and internal operational records.
This is why the Nissan breach carries more risk than a limited website incident. Payroll and employee-management platforms usually contain identifiers, tax data, banking details, and records needed for benefits administration.
The Nissan breach report also notes that employees whose information is confirmed to have been exposed will receive additional notifications with more details about the impacted data.
What PeopleSoft administrators should do now
Organizations running PeopleSoft Enterprise PeopleTools 8.61 or 8.62 should apply Oracle’s mitigation guidance immediately and review whether PSEMHUB endpoints were reachable from the internet or other untrusted networks.
Mandiant recommends disabling the Environment Management Hub service in multi-server configurations or removing the PSEMHUB application in single-server configurations where possible. If that cannot be done, organizations should block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector.
The same guidance recommends checking PeopleSoft Internet Architecture WebLogic access logs for suspicious POST requests and reviewing web-tier filesystems for unexpected JSP files or suspicious directories under PSEMHUB paths.
- Apply Oracle’s CVE-2026-35273 mitigation guidance immediately.
- Disable EMHub or remove PSEMHUB where the environment allows it.
- Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector.
- Check access logs for suspicious POST requests from external IP addresses.
- Search PeopleSoft web-tier directories for unexpected JSP files.
- Look for unknown directories named logs, persistantstorage, or scratchpad under PSEMHUB paths.
- Monitor outbound SMB traffic from PeopleSoft servers to external destinations.
- Rotate credentials that may have been accessible from compromised PeopleSoft systems.
CISA listing increases the urgency
CISA’s KEV listing for CVE-2026-35273 adds pressure for rapid remediation because the catalog focuses on flaws already used in attacks.
Federal agencies must follow CISA remediation requirements, but private organizations should also treat KEV-listed vulnerabilities as high priority. Attackers often move faster once public indicators, proof-of-concept details, or victim reports circulate.
For PeopleSoft owners, patching alone may not be enough. Since exploitation began before the advisory, administrators should hunt for compromise even after applying mitigations.
Nissan employees should watch for fraud attempts
Nissan said it will contact affected individuals where it determines that data was exposed. Employees and former employees should watch for mail, email, payroll, banking, and tax-related fraud attempts.
The California breach notification page links to Nissan’s employee and former-employee communications. The company is also adding safeguards around pay slip access and direct deposit changes.
Anyone who receives a breach notification should follow the company’s enrollment instructions for monitoring services, review bank accounts, and treat unexpected payroll-change messages with caution.
ERP platforms are now prime extortion targets
The Nissan disclosure shows how a single enterprise software zero-day can turn into a multi-organization data breach campaign. Attackers no longer need to compromise each company through separate phishing or endpoint malware when a shared enterprise platform gives them direct access to valuable data.
The Google Cloud analysis shows the campaign combined zero-day exploitation, remote management tooling, lateral movement, data compression, and extortion-site publication.
The practical takeaway is clear. Organizations should inventory PeopleSoft exposure, apply Oracle guidance, review logs from late May through June, and prepare for credential rotation if they find any sign of compromise.
FAQ
Nissan North America confirmed a breach involving employee information after attackers exploited an Oracle PeopleSoft vulnerability in a broader zero-day data theft campaign.
CVE-2026-35273 is a critical Oracle PeopleSoft PeopleTools vulnerability in the Updates Environment Management component. It can be exploited remotely without authentication and may allow takeover of affected PeopleTools systems.
Nissan said the data may include contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent or beneficiary information.
Mandiant and Google Threat Intelligence Group attributed the broader PeopleSoft exploitation campaign to UNC6240, also known as ShinyHunters.
Administrators should apply Oracle’s mitigation guidance, restrict PSEMHUB and PSIGW endpoints from external access, review logs from late May through June, hunt for webshells and MeshCentral indicators, and rotate credentials exposed to affected PeopleSoft systems.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages