%22%2F%3E%0A%20%20%20%20%20%20%3Cstop%20offset%3D%22100%25%22%20stop-color%3D%22hsl(32%2070%25%2040%25)%22%2F%3E%0A%20%20%20%20%3C%2FlinearGradient%3E%0A%20%20%3C%2Fdefs%3E%0A%20%20%3Crect%20width%3D%221536%22%20height%3D%221024%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22946%22%20cy%3D%22446%22%20r%3D%22320%22%20fill%3D%22white%22%20opacity%3D%220.08%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22654%22%20cy%3D%22554%22%20r%3D%22240%22%20fill%3D%22black%22%20opacity%3D%220.06%22%2F%3E%0A%3C%2Fsvg%3E)
CVE-2026-35273 gave attackers unauthenticated remote code execution against hundreds of universities and enterprises. Over 100 organisations are confirmed breached, and ShinyHunters says victim outreach has only just beg
The story broke on June 11, 2026, but the attacks started on May 27. For thirteen days, a critical vulnerability in Oracle PeopleSoft had no fix, no public advisory, and no name. During that window, ShinyHunters walked straight into more than 100 organisations, took what they wanted, and are now demanding payment to keep it private.
This is the most significant enterprise security incident of the past 48 hours. If your organisation runs Oracle PeopleSoft, what you do in the next few hours matters.
What Happened
Mandiant and Google Threat Intelligence Group (GTIG) identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft infrastructure. The activity ran between May 27 and June 9, 2026, and is consistent with exploitation of CVE-2026-35273, a critical remote code execution vulnerability scoring CVSS 9.8 in the Environment Management component.
Because the activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day. Every organisation hit during those two weeks had no patch to apply and no vendor warning to act on.
Among the confirmed victims is the University of Nottingham, which notified affected students and alumni directly. ShinyHunters claimed the breach and leaked tens of gigabytes of data, including personal and academic records of nearly half a million current and former students. The group says victim outreach has only just started and has not yet named most of the organisations it claims.
The Vulnerability: No Login, No Interaction, Full Takeover
CVE-2026-35273 lets remote, unauthenticated attackers with HTTP network access fully compromise PeopleSoft Enterprise PeopleTools. No credentials needed. No user interaction required.
The flaw sits in the Updates Environment Management component, the engine behind the Environment Management Hub (PSEMHUB). If that hub is reachable from the internet, everything behind it is reachable too.
Oracle confirmed the zero-day affects PeopleTools versions 8.61 and 8.62 and has issued emergency mitigations. As of June 11, 2026, a full patch has not yet shipped.
PeopleSoft is used by large corporations and institutions to manage HR, payroll, billing, supply chains, and student records. That is exactly the data ShinyHunters is after.
How the Attack Worked
Researchers reconstructed the full attack chain because ShinyHunters left their staging servers partially exposed online.
- May 27, 2026, 22:14 UTC: Attackers installed MeshCentral v1.1.59 on their staging server.
- 22:25 UTC: They added the acme-client npm package to automate Let's Encrypt SSL certificate provisioning for a masquerading domain.
- Reconnaissance: Using the meshctrl.js CLI, they mapped PeopleSoft configurations by reading psappsrv.cfg, auditing active NFS mounts, and parsing WebLogic config.xml files.
- Lateral movement: A custom propagation script dropped into /tmp performed SSH credential spraying against internal hosts parsed from /etc/hosts.
- Marker file: Upon successful access, the script planted README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories.
- Exfiltration: Stolen data was compressed with zstd and transferred outbound over SSH to infrastructure linked to the ShinyHunters leak site.
ShinyHunters confirmed to BleepingComputer they are behind the attacks, describing their method as a "gadget chain" of old and zero-day flaws.
Who Is at Risk
Google Threat Intelligence Group notified over 100 global organisations whose IP addresses correlated with potentially vulnerable endpoints. Sixty-eight percent of victims are in the higher education sector, but the attackers targeted both on-premises and cloud-hosted deployments across multiple industries.
ShinyHunters is a financially motivated group with some of the largest breaches on record to their name: Ticketmaster, AT&T, Canvas/Instructure (275 million records, May 2026), and the Vercel OAuth token breach in April 2026. Their 2026 campaign volume suggests either ongoing zero-day acquisition capability or active purchase from an exploit broker. That puts them in a different threat category than most financially motivated groups.
If your PeopleSoft instance is internet-reachable, it was in scope.
What You Must Do Right Now
Oracle's emergency advisory from June 10 gives clear interim steps. Act on them before the full patch arrives.
1. Block the exposed component immediately. Disable the Environment Management Hub service in multi-server configurations, or remove the PSEMHUB application entirely in single-server configurations. If you cannot disable it, block external access to /PSEMHUB/ and /PSIGW/HttpListeningConnector at your network perimeter or firewall.
2. Block outbound SMB. Monitor for outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations. The exploit chain may use this to capture machine-account NetNTLM hashes.
3. Check for signs of compromise. Audit psappsrv.cfg and review WebLogic access logs for unusual POST requests. Search your PeopleSoft directories for the marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT. The attackers are familiar with PeopleSoft internals and extracted credentials and node mappings directly from configuration files.
4. Apply Oracle's patch the moment it ships. Monitor My Oracle Support and apply the update for your PeopleTools version as soon as it is available.
5. Verify your PeopleTools version. The zero-day affects versions 8.61 and 8.62. If you are running an unsupported version, treat this as a critical emergency and escalate immediately.
The Bigger Picture
Two lessons stand out here. First, internet-exposed management components are a liability regardless of how mature the underlying software is. PSEMHUB was built for internal administrative use. Wherever it faces the public internet, it creates an architectural risk that sits outside the normal patch cycle.
Second, ShinyHunters has demonstrated the ability to acquire and weaponise zero-days against major enterprise platforms across multiple campaigns in 2026. That is a meaningful shift in what financially motivated groups are capable of.
The patch is coming. The risk management work, locking down management planes and monitoring for lateral movement, belongs to your team right now.
How 247techify Can Help
At 247techify, we help businesses audit externally exposed management infrastructure, prioritise critical patches under active exploitation, and build the monitoring needed to catch threats before they become breaches. If your organisation runs Oracle PeopleSoft or any enterprise ERP with public-facing components, get in touch with us and we will help you assess your exposure quickly and practically.
%22%2F%3E%0A%20%20%20%20%20%20%3Cstop%20offset%3D%22100%25%22%20stop-color%3D%22hsl(60%2070%25%2040%25)%22%2F%3E%0A%20%20%20%20%3C%2FlinearGradient%3E%0A%20%20%3C%2Fdefs%3E%0A%20%20%3Crect%20width%3D%221536%22%20height%3D%221024%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22420%22%20cy%3D%22520%22%20r%3D%22320%22%20fill%3D%22white%22%20opacity%3D%220.08%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22880%22%20cy%3D%22580%22%20r%3D%22240%22%20fill%3D%22black%22%20opacity%3D%220.06%22%2F%3E%0A%3C%2Fsvg%3E)
