The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest.
Google’s Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.
The flaw, CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It needs no login and no user interaction, just network access over HTTP, to take over the server. If you run PeopleSoft with the Environment Management Hub reachable from outside, that is your exposure, and the immediate move is to lock those endpoints down.
The vulnerability sits in the Updates Environment Management component, the piece behind the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools 8.61 and 8.62 as affected and says earlier, unsupported versions are probably vulnerable too. It credits researchers from TrendAI Zero Day Initiative and TrendAI Research for the report.
Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild; Oracle has not said whether it has seen exploitation. Its advisory points to a patch availability document behind a support login, and whether a full fix is broadly available is unclear. For now, the guidance centers on mitigation.
The operational detail became public because the attackers left their own gear exposed. Researcher @nahamike01 publicly flagged the open directories. Mandiant then triaged five sequential IP addresses running Python’s SimpleHTTP server on port 8888. Those servers exposed the staging files: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script.
The agents called home to a command-and-control server at azurenetfiles.net, a domain picked to look like Azure NetApp Files. The script, named [victim]_fanout.sh, spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. The command history shows the data compressed with zstd and an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.
Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. Sixty-eight percent were in higher education, most of them in the United States. Some blocked the activity; others were compromised and had data posted to the leak site.
The University of Nottingham is one of the first confirmed victims. Have I Been Pwned has counted about 455,000 unique email addresses in the leaked set, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.
Oracle’s guidance is to disable the Environment Management Hub service on multi-server setups, or remove the PSEMHUB application outright on single-server setups. If you cannot do either, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter.
Mandiant warns that WAF body-inspection rules alone are not enough, since they can be bypassed. Restricting these endpoints does not break normal user sessions.
Then hunt for signs of an existing compromise:
- WebLogic access logs showing external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector.
- Unexpected .jsp files under the PSEMHUB.war web application directory, or odd folders named logs, persistantstorage, or scratchpad under the PSEMHUB paths.
- Recently changed .xml files under the web doc root’s envmetadata/data/environment, which can be abused for XMLDecoder persistence that fires on the next restart.
- Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, which the exploit chain may use to capture machine-account NetNTLM hashes.
Apply Oracle’s update for your PeopleTools version once you confirm it is available in My Oracle Support.
ShinyHunters says victim outreach has only just started, and it has not posted most of the organizations it claims, so more names are likely.
The method is the bigger tell. ShinyHunters has lately leaned on vishing, stolen tokens, and weak access controls to steal data from SaaS and education platforms, from Salesforce customers to Canvas. A server-side zero-day in on-premises ERP software is a step up from that, aimed at the same data-rich targets.
The open question is whether this was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation.
