CVE-2026-35273 (CVSS 9.8): ShinyHunters Exploited Oracle PeopleSoft as a Zero-Day for 13 Days — 100+ Organisations Breached
It took ShinyHunters just thirteen days to drain data from more than 100 organisations — and every single breach began through the same unauthenticated endpoint in Oracle PeopleSoft that had been quietly exploitable since long before Oracle shipped a patch. If your enterprise runs PeopleTools 8.61 or 8.62, and you have not yet applied Oracle’s June 10, 2026 out-of-band fix, you have effectively left the front door unlocked — with a welcome mat outside. (The Hacker News | Rapid7 ETR | SecurityWeek | Help Net Security)
- CVE-2026-35273 is a CVSS 9.8 unauthenticated Server-Side Request Forgery → Remote Code Execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62.
- The threat actor ShinyHunters (UNC6240), attributed by Google Mandiant, exploited this as a zero-day from May 27 to June 9, 2026 — a 13-day head start before Oracle’s patch.
- More than 100 organisations and 300+ PeopleSoft instances were compromised; 68% were universities.
- CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities (KEV) catalog on June 12, 2026, mandatory patch deadline for U.S. federal agencies.
- Post-exploitation included MeshCentral agents disguised as Microsoft Azure binaries, lateral movement scripts, and data exfiltration via SSH using zstd compression.
- Oracle’s out-of-band patch shipped June 10, 2026. If you haven’t applied it yet, this is your only task today.
The Vulnerability: One Unauthenticated Endpoint, Unlimited Damage
CVE-2026-35273 lives inside the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools — specifically the Environment Management Hub, reachable at the path /PSEMHUB/hub. Rapid7’s engineering team also identified the adjacent endpoint /PSIGW/HttpListeningConnector as a secondary attack surface.
The flaw is classified as a Server-Side Request Forgery (SSRF) that chains into Remote Code Execution. An unauthenticated attacker with nothing more than HTTP access to the server can force PeopleTools to make outbound SMB connections (TCP port 445) to attacker-controlled destinations. This captures the Windows machine-account NetNTLM hash — a primitive that ShinyHunters used as a stepping stone to full code execution and lateral movement across affected networks. No username, no password, no interaction from any user: just a crafted HTTP request.
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-35273 |
| CVSS v3.1 Score | 9.8 — Critical |
| Attack Vector | Network / No Authentication / No User Interaction |
| Vuln Type | SSRF → RCE (Unsafe deserialization / SMB relay) |
| Affected Versions | PeopleTools 8.61, 8.62 (older unsupported versions likely vulnerable) |
| Vulnerable Endpoints | /PSEMHUB/hub, /PSIGW/HttpListeningConnector |
| Zero-Day Window | May 27 – June 9, 2026 (13 days) |
| Patch Released | June 10, 2026 (Oracle out-of-band security alert) |
| CISA KEV Added | June 12, 2026 |
ShinyHunters at Scale: From Campus to Campus in 13 Days
Google’s Mandiant team formally attributed this campaign to UNC6240, the cluster designation for the financially motivated collective known publicly as ShinyHunters. This is not a nation-state actor pursuing geopolitical aims — ShinyHunters operates as a data-theft-and-extortion gang. They identify high-value targets, exfiltrate sensitive records at volume, and then monetise through public leak sites and ransom negotiations.
In this campaign the group compromised more than 300 PeopleSoft instances across over 100 organisations during the 13-day zero-day window. The University of Nottingham’s exposure alone numbered approximately 455,000 email records including names, postal addresses, phone numbers, passport numbers, ethnicity details, and disability information — categories that make this a serious personal data incident under GDPR and equivalent frameworks. In the Indian context, it is equally significant given India’s Digital Personal Data Protection Act (DPDPA): any Indian university or enterprise running PeopleSoft faces mandatory breach-notification obligations if their instances were exposed.
Notably, 68% of identified victims were universities — a sector that routinely runs internet-facing PeopleSoft for student information systems, HR, and finance, often with under-resourced security teams. The lesson for every CISO in higher education: PeopleSoft is not an internal ERP tucked safely behind a campus firewall. It is an internet-facing application that must be hardened and patched with the same urgency as a perimeter firewall.
This pattern of Oracle enterprise products being targeted is not new. Earlier this year we documented how Oracle E-Business Suite (CVE-2026-46817) came under active attack — demonstrating that threat actors actively trawl for exposed Oracle infrastructure across the globe.
Post-Exploitation Playbook: Hiding in Azure’s Shadow
Once inside a compromised PeopleSoft host, ShinyHunters moved with operational sophistication designed to evade detection.
The group deployed MeshCentral remote-management agents, but renamed the binaries to mimic legitimate Microsoft Azure processes. Command-and-control traffic was directed to wss://azurenetfiles[.]net:443/agent.ashx — a domain crafted to blend into network logs alongside genuine Azure traffic. Security teams that do not inspect WebSocket streams or that whitelist *.azure* patterns wholesale would likely miss this entirely.
From the initial PeopleSoft beachhead, attackers:
- Performed internal reconnaissance of PeopleSoft configurations to identify additional credential stores and high-value data tables.
- Deployed lateral movement scripts to pivot deeper into connected enterprise systems.
- Compressed stolen data using zstd for speed and efficiency, then exfiltrated via SSH to attacker-controlled servers.
- Published exfiltrated data on ShinyHunters’ Data Leak Site (DLS) starting June 9, 2026 — one day before Oracle’s patch shipped.
The use of legitimate remote-management tooling (MeshCentral) as a post-exploitation vehicle is a trend I see repeatedly in incident response engagements. If your SOC is not alerting on new RMM agent installations on servers — especially those disguised with cloud-provider naming conventions — this campaign is a wake-up call. If you want to understand what happens inside a compromised environment during the first hour, I’ve written about the first-60-minutes ransomware playbook and the defensive gaps that make lateral movement so fast.
What You Should Do Right Now
Immediate action is the only correct response to a CVSS 9.8 KEV-listed vulnerability with a public exploit chain. Here is the prioritised checklist I’m handing to every client running Oracle PeopleSoft:
1. Patch — No Exceptions, No Delays
Apply Oracle’s out-of-band security alert patch for CVE-2026-35273 on an emergency basis. If your change management process requires a maintenance window, declare an emergency change and bypass the queue. A CVSS 9.8 KEV with an active exploit is precisely the scenario emergency change procedures exist for.
2. Restrict or Disable PSEMHUB
If you cannot patch immediately, disable the Environment Management Hub service or block all external access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector at your WAF or perimeter firewall. PeopleSoft’s PSEMHUB is an administrative component — it has no business being accessible from the internet or from untrusted network segments.
3. Block Outbound SMB at the Perimeter
The exploitation chain relies on outbound SMB (TCP port 445) from the PeopleSoft server to an attacker-controlled host. If your firewall policy allows PeopleSoft servers to initiate outbound SMB, that policy needs to change today. Egress filtering is foundational zero-trust hygiene — if you haven’t had that conversation with your leadership yet, my guide on explaining zero-trust to a CFO gives you the framing.
4. Hunt for Active Compromise
If you haven’t patched already, assume you may already be compromised and run a retrospective hunt before trusting your environment. Check for:
- HTTP/HTTPS requests to
/PSEMHUB/hubor/PSIGW/HttpListeningConnectorfrom external IPs — especially from 51.159.98.241 (a known scanner IP associated with this campaign). - New executables or services on PeopleSoft hosts with Azure-sounding names but unsigned or anomalous binaries.
- Outbound WebSocket connections to
azurenetfiles[.]net. - Enable Rapid7’s IPS Rule 1012580 (“Oracle Peoplesoft PeopleTools SSRF Vulnerability”) and DDI Rule 5855 if you have compatible detection tooling.
- Unusual outbound SSH sessions, particularly those transferring compressed archives.
5. Notify Affected Individuals — Don’t Wait for Certainty
If your logs show exploitation activity, trigger your data breach response plan immediately. Under India’s DPDPA and most international frameworks, notification to the regulatory authority must happen within 72 hours of becoming aware of a breach. Delay costs far more than a prompt, good-faith notification.
Frequently Asked Questions
Is this vulnerability exploitable if PeopleSoft is behind a VPN or only accessible on the internal network?
Significantly reduced risk, yes — but not zero. If any internal machine that can reach the PeopleSoft PSEMHUB endpoint is ever compromised, an attacker already inside your network can pivot to PeopleSoft without credentials. The correct posture is: apply the patch regardless of network exposure, and segment PeopleSoft servers so only authorised application tiers can reach administrative components.
My organisation uses Oracle PeopleSoft version 8.60 or earlier — am I affected?
Oracle’s advisory specifically calls out PeopleTools 8.61 and 8.62. Older versions are outside Oracle’s support lifecycle, meaning no patch will be issued for them. If you are running an unsupported version, the SSRF mechanism likely exists in older builds as well. Upgrade to a supported, patched version or take the environment offline until you can.
ShinyHunters targeted universities — does this matter for Indian enterprises in other sectors?
Absolutely. Threat actors follow any target that runs the vulnerable software, regardless of sector. Indian enterprises in banking, manufacturing, logistics, and government that run PeopleSoft for HR or finance are equally exposed. ShinyHunters monetises stolen data broadly — payroll records, employee PAN details, and vendor contract data are all valuable to them. The university concentration in this campaign reflects where PeopleSoft is most commonly internet-facing, not a deliberate sector exclusion.
What does “CISA KEV” mean and why should non-US organisations care?
CISA’s Known Exploited Vulnerabilities catalog is the closest thing the security industry has to a universally trusted signal of active, real-world exploitation. A KEV listing means CISA has verified that attackers are actively using the flaw — not just that it theoretically could be exploited. For Indian IT and security teams, KEV is your shortlist of vulnerabilities that cannot be deferred to the next quarterly patching cycle. If it’s in KEV, treat it as on fire.
The Bigger Pattern: Oracle Keeps Appearing in Attacker Playbooks
This is the second time in 2026 that Oracle enterprise products have appeared in the CISA KEV with confirmed active exploitation. CVE-2026-35273 in PeopleSoft follows closely behind the Oracle E-Business Suite campaign we covered earlier this year. Oracle’s product estate — PeopleSoft, E-Business Suite, WebLogic, Fusion Middleware — is deeply embedded in large enterprises globally, including India’s banking, insurance, and public sector. That concentration makes it a high-value target. Security teams running Oracle infrastructure need to treat Oracle’s Critical Patch Updates and out-of-band advisories with the same operational urgency they give to Fortinet or Microsoft advisories.
The critical lesson from CVE-2026-35273 is not just “patch faster.” It is that threat actors exploit the gap between patch release and deployment — and in this case, they exploited a gap that didn’t even exist yet, because they were ahead of the vendor. Detection capability, egress filtering, and rapid incident response are the controls that limit damage when prevention fails. A 13-day zero-day window is not unusual. Your ability to detect and contain during those 13 days is what separates a manageable incident from a 455,000-record breach.
If you are reassessing your organisation’s exposure to unpatched internet-facing applications and want a structured vulnerability prioritisation and zero-trust network review, reach out for a security assessment. I work with enterprises and institutions across Delhi NCR and beyond to close exactly these gaps — before a ShinyHunters campaign does it for you.