ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft

A critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools has been exploited by cybercrime syndicate ShinyHunters. The automated campaign has compromised hundreds of instances, exposing sensitive administrative records and student databases.

In a major cybersecurity development during June 2026, threat intelligence groups linked the prolific cybercrime syndicate ShinyHunters to a massive zero-day exploitation campaign targeting Oracle PeopleSoft environments. Tracked by cybersecurity firm Mandiant as UNC6240, the group targeted a critical, previously unpatched vulnerability, CVE-2026-35273. The flaw, which has a CVSS severity score of 9.8, represents a remote code execution vulnerability in the PeopleTools Environment Management component. The exploitation began in late May 2026 and continued unnoticed until Oracle released an out-of-band security advisory on June 10, 2026, urging customers to apply security updates immediately.

This automated campaign has compromised over 300 PeopleSoft instances across more than 100 target organizations globally. The threat actors used scanning scripts to detect vulnerable Environment Management Hub endpoints, executing commands to gain full control of the servers. Security researchers observed the attackers deploying web shells and specialized remote management agents to maintain persistent access and exfiltrate databases. The higher education sector was disproportionately targeted, with universities representing a significant portion of the victims, leading to the theft of personal, academic, and financial records.

Abstract green glowing data binary code representation.

Oracle's out-of-band security alert on June 10, 2026, confirmed active zero-day exploitation of CVE-2026-35273.

Key Fact-Check Takeaways

Critical Flaw: Tracked as CVE-2026-35273, the zero-day vulnerability in Oracle PeopleTools features a CVSS score of 9.8, allowing unauthenticated remote code execution.
Threat Syndicate: The campaign is linked to ShinyHunters (UNC6240), a threat group active since 2019, known for high-profile database exfiltrations and dark web listings.
Broad Impact: Over 300 PeopleSoft instances across 100-plus global organizations were compromised, with academic institutions representing approximately 68 percent of victims.
Nottingham Breach: The University of Nottingham confirmed a breach on June 9, 2026, resulting in the theft of 40 gigabytes of data and 455,000 student and alumni records.
Immediate Action: CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring administrators to apply patches and isolate vulnerable endpoints.

9.8 CVSS Severity Score

300+ PeopleSoft Instances Hit

455,000 Nottingham Records Leaked

The PeopleSoft Zero-Day Campaign: Unveiling CVE-2026-35273

Analyzing the Initial Vector and Oracle's Out-of-Band Response

The campaign targeting Oracle PeopleSoft centers on a critical flaw in the PeopleTools platform, which forms the infrastructure for PeopleSoft applications. Tracked as CVE-2026-35273, this vulnerability represents an unauthenticated remote code execution vulnerability. Specifically, the flaw exists in the Environment Management Hub component, which is responsible for tracking configuration details across PeopleSoft instances. Because the component failed to validate incoming HTTP requests properly, attackers were able to send crafted payloads to execute commands on the server without providing valid administrative credentials.

The severity of the vulnerability is indicated by its CVSS score of 9.8 out of 10.0, highlighting its ease of exploitation and high potential impact. The exploit window began around May 27, 2026, when security firms detected automated scanning for Environment Management Hub endpoints. Attackers scanned public IP ranges to identify vulnerable instances, executing commands to deploy web shells within minutes of discovery. Oracle was notified of the active exploitation, leading to the release of an out-of-band security advisory on June 10, 2026, detailing the vulnerability and providing emergency patches.

The out-of-band advisory underscores the threat to organizations using PeopleTools versions 8.61 and 8.62. Typically, Oracle releases patches during its quarterly Critical Patch Update cycle, but the active exploitation of a 9.8 CVSS zero-day required immediate action. Oracle urged system administrators to apply the security updates, emphasizing the risk of leaving endpoints exposed. For organizations unable to patch immediately, security experts recommended restricting network access to the PSEMHUB service to prevent external exploitation. The official security advisory warning from Oracle outlines the urgency:

“Oracle has received reports of active, in-the-wild exploitation of CVE-2026-35273. Because this vulnerability is remotely exploitable without credentials, we urge customers to apply the security update immediately. Leaving the Environment Management Hub unpatched exposes administrative servers to full compromise.”
— Oracle Security Team, Out-of-Band Security Alert, June 10, 2026

The zero-day status of CVE-2026-35273 allowed attackers to compromise a significant number of installations before detection. Organizations that relied on standard network perimeter controls were vulnerable if their PeopleSoft administration portals were exposed to the internet. The campaign highlights the risk of exposed utility ports, which are often overlooked compared to primary web applications. Remediation requires applying the patch and conducting a detailed review of system logs to detect signs of compromise.

ShinyHunters (UNC6240): The Threat Group's Evolving Playbook

From Database Brokering to Automated Vulnerability Exploitation

The threat group responsible for the campaign is ShinyHunters, a cybercrime syndicate tracked by Mandiant as UNC6240. Active since 2019, ShinyHunters has established a reputation as a prolific data exfiltration group, targeting large corporate entities to steal consumer databases and sell them on dark web forums. The group was linked to the high-profile 2024 Ticketmaster and Santander Bank breaches, which involved the compromise of client data stored on the Snowflake cloud platform. In those cases, the group obtained credentials to access corporate databases, exfiltrating terabytes of customer records.

However, the Oracle PeopleSoft campaign represents a shift in the group's tactics. Instead of relying on stolen credentials or credential stuffing, the group exploited a zero-day vulnerability to compromise servers. This shift indicates a higher level of technical capability, allowing the group to identify and exploit software flaws. Using automated scripts, ShinyHunters scanned the internet for vulnerable PSEMHUB ports, executing commands to deploy backdoors. This transition from credential abuse to zero-day exploitation highlights the group's development of custom tools:

Threat Actor Intel: ShinyHunters (UNC6240): Active since 2019, ShinyHunters has transitioned from database brokering to automated zero-day campaigns. Their use of custom zero-days, open-source administrative tools like MeshCentral, and automated exploit chains allows them to compromise hundreds of targets rapidly, challenging traditional detection methods.

The group's operational infrastructure was partially exposed in early June 2026. Security researchers discovered an unsecured directory on a staging server used by the group. This exposure allowed analysts to retrieve tools, attack scripts, and databases containing information on compromised instances. The discovery confirmed that the group was running automated campaigns, using scripts to scan, compromise, and log vulnerable PeopleSoft servers. The exposed data helped security firms identify victims and issue warnings, but not before the group exfiltrated databases from compromised servers.

The evolution of ShinyHunters shows the growing capability of financial extortion syndicates. By acquiring zero-day exploits, these groups can bypass traditional security defenses, compromising targets without relying on user interaction or credential leaks. This forces organizations to adopt proactive threat hunting and rapid patch deployment to defend against automated campaigns.

Higher Education Under Fire: The Impact on Academic Institutions

Analyzing the University of Nottingham Breach and Data Exfiltration

The higher education sector was a primary target of the campaign. Mandiant reported that of the 100-plus compromised organizations, approximately 68 percent were universities and colleges. This targeting is due to the widespread use of PeopleSoft Campus Solutions by academic institutions to manage student records, financial aid, and admissions. Because these platforms hold sensitive personal and financial data, they are valuable targets for extortion. The lack of dedicated security staff at some institutions also contributed to the rate of compromise.

A notable victim was the University of Nottingham, which confirmed a security breach on June 9, 2026. The institution identified unauthorized activity on its systems, which was traced to the exploitation of CVE-2026-35273. The attackers exfiltrated approximately 40 gigabytes of data, containing personal records for 455,000 students and alumni. The university took immediate steps to secure its systems, notifying the Information Commissioner's Office and Action Fraud, and initiating a forensic investigation to determine the extent of the compromise.

The exfiltrated Nottingham database was listed on a dark web forum, with the attackers demanding a ransom to prevent its release. The leaked records contained detailed personal and academic profiles, including student names, physical addresses, telephone numbers, and email accounts. Additionally, the database held passport details, demographic data, and fee payment history. The exposure of this information creates risks for those affected, including targeted phishing campaigns and identity theft, prompting the university to establish support services for students and alumni.

The impact of the Nottingham breach highlights the risks to the education sector. Universities handle large volumes of personal and financial data, but their IT systems are often complex and decentralized, making consistent security configuration difficult. The targeting of PeopleSoft Campus Solutions shows how attackers focus on industry-specific platforms to maximize impact, forcing institutions to review their vulnerability management and incident response plans.

Attack Lifecycle and Persistence: Inside the Technical Mechanics

MeshCentral Agents, C2 Infrastructure, and Lateral Movement Scripts

The technical analysis of the campaign reveals a structured attack lifecycle. Once the automated scripts identified a vulnerable Environment Management Hub endpoint, they executed commands to download a payload. The attackers deployed web shells to execute commands and upload files. To maintain access, the threat actors deployed agents from the open-source MeshCentral management platform. These agents were configured as system services, often disguised as legitimate Microsoft Azure services to evade security monitoring.

The MeshCentral agents connected to a command-and-control server at `azurenetfiles.net`. This domain was registered by the attackers to mimic legitimate cloud services, minimizing the risk of outbound traffic being blocked. Using this channel, the attackers executed administrative commands, monitored system activity, and transferred data. The use of legitimate administrative tools like MeshCentral allowed the threat actors to blend in with normal traffic, bypassing security systems that monitor for malicious software.

For lateral movement, the attackers used custom shell scripts, such as `uon_fanout.sh`. These scripts automated the extraction of credentials and configuration details from the compromised server. The attackers targeted files like `psappsrv.cfg`, which contain connection details and credentials for the underlying database server. By extracting these credentials, the threat actors gained access to the primary database, exfiltrating records and preparing for extortion. The speed of this process is noted by Mandiant's response team:

“The automated scale of this campaign represents a significant shift for ShinyHunters. By exploiting a critical zero-day in PeopleSoft, they were able to compromise hundreds of systems before the security community could respond. The use of legitimate administrative tools for persistence allowed them to remain undetected for weeks.”
— Mandiant Incident Response Architect, Threat Briefing, June 2026

The use of automated scripts for lateral movement allowed the attackers to compromise databases within hours of initial access. This rapid progression highlights the need for quick detection and response, as traditional weekly scanning schedules are insufficient against automated campaigns. Organizations must monitor for suspicious shell script execution and unauthorized outbound connections to C2 domains.

Vulnerability Matrix: Comparing Major Software Exploits

Evaluating Severity, Access Vectors, and Threat Actor Profiles

The exploitation of CVE-2026-35273 highlights a trend of threat groups targeting critical enterprise infrastructure. Comparing this PeopleSoft vulnerability with other recent software exploits illustrates its severity. While some campaigns, like the 2024 Snowflake breaches, relied on credential reuse and misconfigurations, the PeopleSoft campaign used a zero-day vulnerability to gain remote code execution, similar to the Log4Shell exploit of 2021.

Vulnerability severity is measured by the Common Vulnerability Scoring System. The 9.8 CVSS score of CVE-2026-35273 puts it in the critical category, indicating ease of exploitation and high potential impact. Unlike Citrix Bleed, which allowed session hijacking by exploiting memory disclosure, the PeopleTools flaw provides direct command execution, giving attackers immediate system access. This highlights the risk of Environment Management components, which run with elevated privileges to manage configurations.

The table below compares the PeopleSoft zero-day with other major software exploits, illustrating the difference in initial vectors, target software, and threat actor profiles:

Exploit Name & CVE Reference	CVSS Score	Initial Access Vector	Primary Sector Impacted
Oracle PeopleTools (CVE-2026-35273)	9.8	Environment Management Hub RCE Zero-Day	Higher Education & Public Sector	▲ Leading
Log4Shell (CVE-2021-44228)	10.0	Log4j JNDI Lookup RCE injection	Global Cloud Services & Enterprise IT	▲ Leading
Citrix Bleed (CVE-2023-4966)	9.4	Gateway Appliance Buffer Over-read	Financial Services & Legal Sector	≈ Parity
Snowflake Client Breaches (2024 Campaign)	8.5	Stolen Session Credentials & Zero MFA	Retail, Entertainment, & Commercial Banking	▼ Behind

The comparative data shows that the PeopleSoft zero-day is one of the most critical exploits of recent years, combining the severity of direct remote code execution with the targeting of a specific sector. To visualize the distribution of compromised organizations across different sectors, the chart below displays the percentage breakdown of victims based on Mandiant's investigations:

Compromised Organizations by Industry Sector (CVE-2026-35273 Campaign)

Remediation Checklist: Securing PeopleTools Environments

Applying Oracle Security Alerts and Hardening PSEMHUB Endpoints

Remediation of the PeopleSoft vulnerability requires a coordinated response to secure systems and detect potential indicators of compromise. The first step is to apply the security patches provided in Oracle's June 10, 2026, security alert. Because the vulnerability resides in the core PeopleTools infrastructure, the update must be applied to all affected environments, including development, testing, and production servers. For environments that cannot be patched immediately, administrators should isolate the Environment Management Hub by restricting external access to the PSEMHUB web application.

In addition to patching, administrators must audit their systems for indicators of compromise. This audit should check for unauthorized scripts, web shells, or agents. The threat actors used open-source management tools to maintain access, making detection difficult if the tools are not flagged as malicious. Administrators should review logs for outbound connections to command-and-control domains and check for ransom files. System logs should also be analyzed for unauthorized connections to PSEMHUB endpoints.

The persistence and exfiltration methods observed during the campaign are summarized below:

MeshCentral Agent Masquerading: Attackers deployed MeshCentral agents configured to run as system services, disguised as Microsoft Azure features.
AzureNetFiles C2 Traffic: Compromised instances communicated with the command-and-control server at `azurenetfiles.net` to receive instructions.
Lateral Movement Scripts: Shell scripts, such as `uon_fanout.sh`, were executed to automate the extraction of credentials and configuration details.

The exfiltrated databases contained sensitive personal, academic, and financial records. To evaluate the impact of a potential compromise, administrators should note the primary data categories targeted by the attackers:

Student Personal Data: Full names, physical addresses, telephone contacts, and email addresses.
Government Identifiers: Passport numbers and other government-issued identification details.
Demographic Information: Ethnicity, disability indicators, and gender designations.
Financial Transactions: Fee payment records, bank account details, and tuition invoice details.

To secure PeopleTools environments and verify system integrity, administrators should follow this remediation checklist:

Deploy Oracle Patches: Apply the security updates for CVE-2026-35273 to all PeopleTools environments.
Isolate PSEMHUB Endpoints: Restrict network access to the Environment Management Hub, blocking external access to the service port.
Audit System Processes: Scan for unauthorized processes, specifically checking for open-source remote management tools.
Analyze Outbound Connections: Monitor network logs for outbound traffic to known command-and-control domains.
Verify File Integrity: Scan system directories for ransom files, such as `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT`, and unauthorized shell scripts.

Conclusion: The Imperative of Rapid Vulnerability Response

Lessons from the Automated Zero-Day Threat Landscape

The zero-day exploitation of CVE-2026-35273 by ShinyHunters highlights the challenge of defending enterprise software against automated campaigns. By targeting the Environment Management Hub component of Oracle PeopleTools, the attackers bypassed traditional defenses, compromising hundreds of installations before patches were available. The targeting of the higher education sector, illustrated by the University of Nottingham breach, shows how cybercriminals focus on specific platforms to maximize impact and extortion leverage. This requires organizations to prioritize vulnerability management and response capabilities.

Remediation requires applying the security updates and auditing systems for indicators of compromise. Additionally, the campaign shows the risk of exposing administrative utilities to the internet, emphasizing the need for network segmentation and monitoring. As threat groups acquire zero-day capabilities, defending enterprise environments requires rapid patch deployment and proactive monitoring. By securing endpoints and analyzing logs, organizations can reduce the risk of compromise and defend against automated extortion campaigns, protecting sensitive data assets.

Sources and References

Oracle - Security Advisory and Patches for CVE-2026-35273: oracle.com
CISA - Known Exploited Vulnerabilities Catalog updates: cisa.gov
Mandiant - Google Cloud Threat Intelligence briefings: mandiant.com
University of Nottingham - Official statements on the student records breach: nottingham.ac.uk