ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach 100+ Universities

The ShinyHunters extortion crew exploited an unauthenticated remote code execution zero-day in Oracle PeopleSoft to breach more than 100 organizations between May 27 and June 9, 2026. Oracle did not publish its advisory until June 10, leaving every victim exposed during the entire two-week attack window. Google's Mandiant attributes the campaign to UNC6240 and confirms universities bore the brunt: 68 percent of notified organizations were in higher education, most of them in the United States.

The Vulnerability: CVE-2026-35273

CVE-2026-35273 is a 9.8-severity flaw in PeopleSoft Enterprise PeopleTools that requires no authentication, no user interaction, and only network access over HTTP. The vulnerability sits in the Updates Environment Management component—the code behind the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools 8.61 and 8.62 as affected and warns that earlier, unsupported versions are likely vulnerable as well.

If your PeopleSoft Environment Management Hub is reachable from the internet, you have exposure. Mandiant CTO Charles Carmakal confirmed active exploitation in the wild. Oracle credited researchers from TrendAI Zero Day Initiative and TrendAI Research for the discovery but has not publicly acknowledged whether it observed exploitation before patching.

Operational Security Failure Exposed the Attack Infrastructure

The campaign came to light because the attackers left their staging servers exposed. Security researcher @nahamike01 flagged open directories on five sequential IP addresses running Python's SimpleHTTP server on port 8888. Mandiant triaged the servers and found a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script named [victim]_fanout.sh.

The MeshCentral agents called home to a command-and-control server at azurenetfiles.net, a domain designed to resemble Azure NetApp Files. The lateral-movement script spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file—README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT—into PeopleSoft directories. The bash history shows stolen data compressed with zstd and an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.

Confirmed Victim: University of Nottingham

The University of Nottingham is one of the first publicly confirmed victims. Have I Been Pwned has counted approximately 455,000 unique email addresses in the leaked dataset, covering current students and alumni. The exposed data includes names, addresses, phone numbers, passport numbers, and sensitive details on ethnicity and disabilities. The university has confirmed the breach.

ShinyHunters has stated that victim outreach has only just started and that it has not yet posted most of the organizations it claims to have compromised. More names are likely coming.

Hunt for Indicators of Compromise

Mandiant recommends immediate threat hunting for signs of exploitation, even if you have already applied mitigations. The following indicators suggest an existing compromise:

• WebLogic access logs showing external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector
• Unexpected .jsp files under the PSEMHUB.war web application directory
• Odd folders named logs, persistantstorage, or scratchpad under PSEMHUB paths
• Recently modified .xml files under the web doc root's envmetadata/data/environment directory, which can be abused for XMLDecoder persistence that executes on the next server restart
• Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, which the exploit chain may use to capture machine-account NetNTLM hashes

ShinyHunters Levels Up

This campaign represents a tactical shift for ShinyHunters. The group has historically leaned on vishing, stolen tokens, and weak access controls to steal data from SaaS and education platforms—from Salesforce customers to Canvas LMS deployments. A server-side zero-day in on-premises ERP software is a significant step up, aimed at the same data-rich targets but exploiting infrastructure that enterprises typically consider more secure than cloud SaaS.

The open question is whether CVE-2026-35273 was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation as a core capability. Either way, the campaign demonstrates that extortion crews are expanding their toolkit beyond credential stuffing and social engineering. Universities and enterprises running legacy on-premises ERP systems should treat this as a wake-up call: attackers are now investing in zero-day research targeting the software that houses your most sensitive data.

Recommendations

• Disable the Environment Management Hub service or remove PSEMHUB application if operationally feasible
• Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter—network-layer restrictions, not just WAF rules
• Hunt for the IOCs listed above in WebLogic logs, file system, and network traffic
• Apply Oracle's PeopleTools patch for CVE-2026-35273 as soon as it is confirmed available in My Oracle Support
• Review all internet-facing PeopleSoft endpoints and restrict access to only trusted networks where possible
• Monitor for outbound connections to azurenetfiles.net and any unusual SSH or SMB traffic from ERP hosts