The ShinyHunters extortion crew pulled off something unusual. They exploited an unpatched vulnerability in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. Universities took the hardest hit.
The ShinyHunters Oracle PeopleSoft zero-day campaign ran between May 27 and June 9. Oracle didn't publish its advisory until June 10. That means for nearly two weeks, attackers had a head start that defenders didn't even know existed.
Mandiant attributes the activity to a group it tracks as UNC6240. The numbers are stark: Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints on their servers. Sixty-eight percent were in higher education, most of them in the United States.
Some organizations blocked the activity in time. Others weren't so lucky.
The Flaw: CVE-2026-35273
The vulnerability at the heart of the ShinyHunters Oracle PeopleSoft zero-day is CVE-2026-35273. It's a remote code execution bug in PeopleSoft Enterprise PeopleTools. The CVSS score is 9.8 out of 10.
Here's what makes it dangerous on any affected server:
1. No login required
2. No user interaction needed
3. Just network access over HTTP
An attacker who can reach the Environment Management Hub on a vulnerable server from outside can take over that server completely.
Oracle lists PeopleTools versions 8.61 and 8.62 as affected. Earlier, unsupported versions are likely vulnerable on any server where they remain installed. The flaw sits in the Updates Environment Management component—the piece behind the Environment Management Hub (PSEMHUB).
Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild on live servers. Oracle credits researchers from TrendAI Zero Day Initiative and TrendAI Research for the report.
How the Attack Worked on Target Servers
The operational details of the ShinyHunters Oracle PeopleSoft zero-day became public because the attackers made a mistake. They left their own gear exposed on a server they controlled.
Researcher @nahamike01 publicly flagged open directories on an attacker-operated server. Mandiant then triaged five sequential IP addresses running Python's SimpleHTTP server on port 8888.
Those servers exposed:
1. A shared .bash_history file from the attacker's workflow
2. Custom MeshCentral remote-management agents disguised as Microsoft Azure binaries
3. A lateral-movement script designed to run on compromised PeopleSoft servers
The agents called home to a command-and-control server at azurenetfiles.net, a domain chosen to look like legitimate Azure NetApp Files.
The lateral-movement script, named [victim]_fanout.sh, spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts on each compromised server. Then it drops a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories on the victim server.
The command history recovered from the attacker's own server shows the attackers compressed stolen data with zstd and used an outbound SSH connection to a different server hosting the public mirror of the ShinyHunters leak site.
The Victim: University of Nottingham
The University of Nottingham is one of the first confirmed victims of the ShinyHunters Oracle PeopleSoft zero-day. The attackers breached their PeopleSoft server and exfiltrated sensitive data.
Have I Been Pwned has counted about 455,000 unique email addresses in the leaked set. That covers current students and alumni.
The exposed data includes:
1. Names and addresses
2. Phone numbers
3. Passport numbers
4. Details on ethnicity and disabilities
The university has confirmed the breach on its own servers.
ShinyHunters says victim outreach has only just started. They haven't posted most of the organizations they claim. More names are almost certainly coming.
Who Is ShinyHunters?
ShinyHunters is a criminal group that has been known to extort businesses by stealing sensitive data from their databases and demanding money to not publish it.
They have gained media attention for various breaches of cybersecurity including the following companies/areas:
1. Customers of Salesforce
2. Online education systems (Canvas)
3. Other educational and Software as a Service (SaaS) companies
Their recent tactics have leaned on vishing (voice phishing), stolen tokens, and weak access controls. A server-side zero-day in on-premises ERP software is a step up from that. But the target profile is the same: data-rich organizations with vulnerable servers.
The open question is whether this was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation at scale.
How to Protect Your PeopleSoft Server
Oracle's guidance is clear but not comprehensive. Here's what you need to do immediately if you run PeopleSoft with the Environment Management Hub reachable from outside on any of your servers.
Immediate mitigation (do this today on every PeopleSoft server):
1. Disable the Environment Management Hub service on multi-server setups
2. Remove the PSEMHUB application outright on single-server setups
3. If you cannot do either, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the network perimeter
Important warning from Mandiant: WAF body-inspection rules alone are not enough on any server. They can be bypassed. Network-layer blocking is the safer bet.
Restricting these endpoints on your PeopleSoft server does not break normal user sessions.
Hunt for Signs of Compromise on Your Servers
If you suspect your PeopleSoft environment may have been targeted by the ShinyHunters Oracle PeopleSoft zero-day, check your servers for these indicators:
WebLogic access logs on the server:
External POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector
Unexpected files on the server:
1) .jsp files under the PSEMHUB.war web application directory
2) Odd folders named logs, persistantstorage, or scratchpad under PSEMHUB paths
Recently changed files on the server:
.xml files under the web doc root's envmetadata/data/environment (these can be abused for XMLDecoder persistence that fires on the next server restart)
Network traffic from the server:
Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations (the exploit chain may use this to capture machine-account NetNTLM hashes)
Marker files on the server:
Any file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT inside PeopleSoft directories
Apply the Official Patch to Every Server
Oracle's advisory points to a patch availability document behind a support login. Whether a full fix is broadly available for all affected versions is unclear.
Check My Oracle Support for the update corresponding to your PeopleTools version. Apply it to every PeopleSoft server as soon as you confirm it's available.
What Comes Next
ShinyHunters says they've only just started victim outreach. Most of the organizations they claim haven't been posted yet.
That means more breaches will become public. More universities, more data, more extortion demands.
The ShinyHunters Oracle PeopleSoft zero-day is a reminder that on-premises enterprise software isn't safer than cloud services. It just has different attack surfaces. And when a zero-day hits a platform like PeopleSoft, the window between exploitation and disclosure can be weeks.
Lock down your PSEMHUB endpoints on every server. Hunt for the indicators above. And watch the leak sites.
Because the next batch of victim names could include your organization.
FAQ Section
What is the ShinyHunters Oracle PeopleSoft zero-day?
It's a campaign where the ShinyHunters extortion group exploited CVE-2026-35273, an unpatched remote code execution vulnerability in Oracle PeopleSoft, to steal data from servers at universities and other organizations.
What is CVE-2026-35273?
CVE-2026-35273 is a remote code execution vulnerability in PeopleSoft Enterprise PeopleTools, affecting the Environment Management Hub (PSEMHUB) component on affected servers. It has a CVSS score of 9.8 and requires no authentication or user interaction.
Which versions of PeopleTools are affected on a server?
Oracle lists PeopleTools 8.61 and 8.62 as affected. Earlier, unsupported versions are likely vulnerable on any server where they remain installed.
Which organizations were hit hardest?
Universities. Sixty-eight percent of the vulnerable organizations Mandiant notified were in higher education, most of them in the United States.
Is there a patch available for my PeopleSoft server?
Oracle released an advisory on June 10. A patch is available through My Oracle Support, but the advisory's primary guidance currently focuses on mitigation.
How do I protect my PeopleSoft server?
Disable the Environment Management Hub service, remove the PSEMHUB application, or block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter. Then hunt for the indicators of compromise listed above on every server.
