ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities

The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest.

Google’s Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.

The flaw, CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It needs no login and no user interaction, just network access over HTTP, to take over the server. If you run PeopleSoft with the Environment Management Hub reachable from outside, that is your exposure, and the immediate move is to lock those endpoints down.

The vulnerability sits in the Updates Environment Management component, the piece behind the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools 8.61 and 8.62 as affected and says earlier, unsupported versions are probably vulnerable too. It credits researchers from TrendAI Zero Day Initiative and TrendAI Research for the report.

Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild; Oracle has not said whether it has seen exploitation. Its advisory points to a patch availability document behind a support login, and whether a full fix is broadly available is unclear. For now, the guidance centers on mitigation.

The operational detail became public because the attackers left their own gear exposed. Researcher @nahamike01 publicly flagged the open directories. Mandiant then triaged five sequential IP addresses running Python’s SimpleHTTP server on port 8888. Those servers exposed the staging files: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script.

The agents called home to a command-and-control server at azurenetfiles.net, a domain picked to look like Azure NetApp Files. The script, named [victim]_fanout.sh, spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. The command history shows the data compressed with zstd and an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.

Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. Sixty-eight percent were in higher education, most of them in the United States. Some blocked the activity; others were compromised and had data posted to the leak site.

The University of Nottingham is one of the first confirmed victims. Have I Been Pwned has counted about 455,000 unique email addresses in the leaked set, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.

Oracle’s guidance is to disable the Environment Management Hub service on multi-server setups, or remove the PSEMHUB application outright on single-server setups. If you cannot do either, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter.

Mandiant warns that WAF body-inspection rules alone are not enough, since they can be bypassed. Restricting these endpoints does not break normal user sessions.