The global cybersecurity landscape was thrust into a state of high alert on June 10, 2026, following Oracle’s emergency release of an out-of-band security advisory addressing a devastating zero-day Oracle PeopleSoft vulnerability. Exploited in the wild over a multi-week campaign stretching from May 27 to June 9, 2026, this critical flaw has been actively leveraged by the notorious financially motivated threat group ShinyHunters (tracked by Google’s Mandiant as UNC6240). The threat group used the vulnerability to execute highly targeted ransomware-style data exfiltration and extortion attacks, with a disproportionate impact on global higher education institutions and large-scale enterprises.
As academic environments, HR networks, and enterprise payroll systems struggle to contain the fallout, threat intelligence agencies are piecing together the operational timeline of one of the most aggressive enterprise resource planning (ERP) targeting campaigns of the year. Through automated scanning and unauthenticated remote code execution (RCE) vectors, the attackers bypassed traditional perimeter defenses, compromising hundreds of environments and holding highly sensitive personal, academic, and financial datasets hostage.
Anatomy of CVE-2026-35273: Decoding the Oracle PeopleSoft Vulnerability
The root cause of this massive security crisis lies in CVE-2026-35273, a critical zero-day vulnerability residing in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. Carrying a near-perfect Common Vulnerability Scoring System (CVSS) severity score of 9.8 out of 10, the vulnerability represents the most dangerous class of software defect: an unauthenticated RCE that can be triggered remotely with zero user interaction.
The weakness is classified under the Common Weakness Enumeration as CWE-306 (Missing Authentication for Critical Function). In a standard PeopleSoft deployment, the Environment Management Framework (EMF) is used to gather, analyze, and manage configuration metrics across diverse server tiers (including file, web, application, and process scheduler servers). At the center of this framework is the Environment Management Hub (PSEMHUB), a web application that acts as a broker for communications between various local peers and agents (PSEMAgents).
The Oracle PeopleSoft vulnerability allows external, unauthenticated attackers to send specially crafted HTTP or HTTPS requests directly to exposed PSEMHUB endpoints. Because the application fails to validate the identity of these inbound requests, the PSEMHUB processes them with administrative system privileges, allowing the attacker to inject malicious commands and gain a complete system takeover. The vulnerable component natively impacts supported PeopleTools versions 8.61 and 8.62, as well as several legacy, unsupported versions that remain in production across thousands of organizations globally.
Industrialized Extortion: The ShinyHunters (UNC6240) Campaign
The threat actors of UNC6240 did not rely on complex, localized social engineering to exploit this flaw. Instead, they utilized highly optimized, automated network scanners to locate exposed PSEMHUB endpoints on the open web, treating complex ERP environments as low-hanging fruit. The campaign’s metrics underscore its unprecedented velocity and focus:
- Over 100 global organizations were identified by Google Threat Intelligence Group (GTIG) and Mandiant as having exposed, vulnerable IP addresses actively scanned or compromised during the window.
- Over 300 unique PeopleSoft instances across both cloud-hosted environments and on-premises physical infrastructures were claimed to be compromised by the attackers.
- 68% of all targeted entities belonged to the higher education and university sector, where PeopleSoft is the operational backbone for critical services like campus operations, student enrollment, grading, financial aid, and staff payroll.
- Stolen data began surfacing on the ShinyHunters Data Leak Site (DLS) on June 9, 2026, following failed private extortion negotiations where victim institutions were contacted via anonymous emails.
One prominent example of the campaign’s devastation is Nottingham University, which publicly acknowledged a major cybersecurity incident after the group exfiltrated more than 40 GB of highly confidential student records. These records reportedly included financial aid applications, immigration status documentation, health histories, and personal contact details. In compromised networks, administrators also discovered a standard extortion calling card: a text file deployed to internal file shares titled README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
The Threat Actor’s Playbook: Staging, Tooling, and Command History
In a rare operational blunder, the ShinyHunters actors exposed their staging and distribution infrastructure to the public web, allowing security researchers (including independent analyst @nahamike01) to flag open directories on the group’s staging hosts. Mandiant and GTIG immediately triaged five sequential IP addresses running lightweight Python-based SimpleHTTP servers on port 8888, which contained the threat actor’s core command history and customized malware toolkit.
Chronological Footprint via `.bash_history`
The exposed directories contained an identical shared .bash_history file, providing researchers with an unobstructed view of the attack infrastructure configuration.
On May 27, 2026, at exactly 22:14 UTC, the threat actors initialized their command-and-control (C2) staging servers by installing MeshCentral (version 1.1.59), an open-source remote monitoring and management platform. At 22:25 UTC, the group executed commands to install the acme-client utility via NPM, automating the acquisition of Let’s Encrypt SSL certificates for their primary domain: azurenetfiles.net. On May 29, 2026, the actors verified their code-signing capabilities, checking for the presence of the authenticode npm module.
C2 Infrastructure and Custom Backdoors
To maintain persistent access across compromised Windows and Linux PeopleSoft servers, the attackers compiled customized MeshCentral remote management agents. To bypass network-level detection and security operations center (SOC) alerts, the agents were named to mimic legitimate Microsoft cloud processes:
meshagent64-azure-ops.exe(SHA-256:f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc)meshagent32-azure-ops.exe(SHA-256:c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f)meshagent64-v2.exe(SHA-256:d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f)
These agents were hardcoded to bypass conventional perimeter egress controls by establishing outbound WebSocket connections to the C2 server at wss://azurenetfiles.net:443/agent.ashx, leveraging port 443 to blend into normal encrypted web traffic.
Targeted Internal Reconnaissance and `meshctrl.js`
Once initial access was secured via the unauthenticated HTTP exploit, the attackers utilized MeshCentral’s command-line execution utility, meshctrl.js, to run highly targeted reconnaissance commands. The `.bash_history` files detailed the exact commands used to map the compromised internal environment:
# Execute baseline reconnaissance hostname; id; # Inspect configuration files to find database credentials and network architecture cat /psoft/peoplesoft/cfg/psappsrv.cfg | grep -i "MachineName" cat /psoft/peoplesoft/webserv/peoplesoft/config/config.xml
By parsing psappsrv.cfg (the Process Scheduler and Application Server configuration file) and WebLogic’s central config.xml, the threat actors systematically extracted administrative machine names, active network ports, and internal IP subnets.
The Fanout Propagation Script
To automate their lateral movement, ShinyHunters deployed a customized shell script called [victim_abbreviation]_fanout.sh directly to the /tmp directories of infected servers. The script executed the following sequential routine:
- It parsed the local system’s
/etc/hostsfile to identify adjacent internal server names that matched pre-defined naming conventions. - It performed high-speed SSH credential spraying using a hardcoded list of common administrative usernames (including
psoft,oracle, andlinuxadm) coupled with default or reused enterprise passwords. - Upon establishing a successful SSH connection to a neighboring server, the script automatically copied over the pre-configured MeshCentral agent and dropped the
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTextortion note.
Why Higher Education? The Hidden Risks of Academic ERP Deployments
The heavy targeting of academic institutions—accounting for over two-thirds of the total campaign volume—highlights a systemic vulnerability in the higher education sector. Unlike tightly regulated financial institutions, university networks are historically designed to facilitate open, decentralized access for students, researchers, and staff. This structural openness often results in “flat” internal network configurations, where a compromise of a public-facing web server allows an attacker to quickly pivot to highly sensitive internal administrative zones with minimal friction.
Furthermore, because PeopleSoft acts as a massive data aggregator on campuses, a single compromised instance grants access to a treasure trove of personally identifiable information (PII). For cybercriminals looking to maximize their extortion leverage, the immediate threat of leaking thousands of student records, financial aid databases, and faculty payroll information creates immense pressure on academic boards to meet ransom demands quickly.
Critical Defense: Mitigating CVE-2026-35273 and Hardening PSEMHUB
Because full, automated patches for all affected legacy and supported PeopleTools installations are still being finalized and distributed behind vendor portals, Oracle has urged immediate mitigation. Organizations must assume their networks have been scanned and actively audit their PeopleSoft infrastructure. Security teams are advised to implement the following immediate defense-in-depth measures:
1. Restrict and Lock Down PSEMHUB Endpoints
The most critical compensating control is to completely restrict external-facing access to the Environment Management Hub. Network administrators must modify their firewalls and reverse proxies to block external HTTP/HTTPS traffic targeting the PSEMHUB web application directories. In WebLogic and WebSphere environments, ensure the hub is strictly bound to internal, trusted management subnets or accessible only via a secure VPN.
2. Audit Configuration and Allowed Hosts
Review the allowedhost.properties configuration file, typically located in the following relative directory path:
PIA_HOME/webserv/peoplesoft/applications/peoplesoft/PSEMHUB.war/envmetadata/config/allowedhost.properties
Ensure that only trusted administrative IP addresses are white-listed, and remove the default wildcard configurations or unneeded local loopbacks if they pose an internal lateral threat. Additionally, locate the configuration.properties file and evaluate settings for recrawlinterval and revalidateinterval. If the Environment Management Framework is not actively required for ongoing deployments, consider disabling the service entirely.
3. Conduct Threat Hunting and Log Analysis
Security Operations Centers (SOCs) should immediately run threat-hunting queries against WebLogic access logs, looking for unauthenticated POST/GET requests to PSEMHUB endpoints. Key indicators of compromise (IOCs) that require immediate isolation and incident response procedures include:
- Connections from Known Attacker IPs: Audit firewall logs for inbound connections from
142.11.200.186through142.11.200.190,108.174.202.99, and176.120.22.24. - Outbound C2 Traffic: Monitor DNS and proxy logs for any resolving requests to
azurenetfiles.netor WebSocket connections initiating outbound handshakes. - Suspicious Local Files: Search all PeopleSoft web server directories and system
/tmppaths for execution scripts resembling*_fanout.shor the presence of theREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTextortion file. - Account Monitoring: Monitor and alert on failed or successful authentication attempts to default administrative accounts (such as
psoft,oracle, andlinuxadm), especially via SSH.
As ShinyHunters continues to monetize enterprise and academic datasets, the exploitation of CVE-2026-35273 stands as a sobering reminder of the compounding risk posed by legacy ERP infrastructure. For IT leaders in both enterprise and academic environments, immediate network isolation of vulnerable PeopleSoft servers is no longer a best practice—it is an absolute operational necessity to stave off catastrophic data exfiltration.