“Sixty‑eight percent were in higher education, most of them in the United States.”
The zero‑day and its mechanics: CVE‑2026‑35273 in PeopleSoft’s PSEMHUB
Between May 27 and June 9, attackers exploited a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools — tracked as CVE‑2026‑35273 and rated 9.8/10 — to take over servers with no login and no user interaction required, according to analysis by Google’s Mandiant. The flaw lives in the Updates Environment Management component behind the Environment Management Hub (PSEMHUB), and it can be triggered simply by HTTP network access when the hub is reachable from outside. Oracle lists PeopleTools 8.61 and 8.62 as affected and says earlier, unsupported versions are likely vulnerable as well.
Attribution and timeline: ShinyHunters, UNC6240, and public disclosure
Mandiant attributes the campaign to the extortion crew commonly known as ShinyHunters and tracks the activity as UNC6240. The firm confirmed the bug was exploited in the wild; Oracle’s advisory, published June 10, arrived after the period Mandiant dated the activity, meaning the vulnerability was a zero‑day during the observed intrusions. Oracle credits TrendAI Zero Day Initiative and TrendAI Research for the report that led to the advisory.
Operational detail: exposed attacker tooling and lateral movement
The attackers’ own operational errors shed light on their methods. Researcher @nahamike01 flagged open directories that Mandiant then triaged: five sequential IP addresses hosting Python’s SimpleHTTP server on port 8888. The staging files included a shared .bash_history, custom MeshCentral remote‑management agents disguised as Microsoft Azure binaries, and a lateral‑movement script. The agents phoned home to a command‑and‑control domain, azurenetfiles.net, chosen to resemble Azure NetApp Files.
The lateral script, named in the format [victim]_fanout.sh, attempts SSH spread by spraying a hardcoded list of usernames and passwords against internal hosts listed in /etc/hosts and drops a marker file titled README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. Command history shows the attackers compressing data with zstd and initiating outbound SSH to the server hosting a public mirror of the ShinyHunters leak site.
Impact on universities and exposed data
Mandiant notified more than 100 organizations whose IPs matched vulnerable endpoints; 68 percent were in higher education and most were in the United States. Some institutions blocked the activity, while others were compromised and had data posted to the leak site. The University of Nottingham is one of the first confirmed victims. Have I Been Pwned counted about 455,000 unique email addresses in the leaked set, tied to current students and alumni, and reported associated names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. ShinyHunters says victim outreach has only just started and that it has not posted most of the organizations it claims, so more names may appear.
Oracle and Mandiant mitigation guidance
Oracle’s immediate guidance is operational: disable the Environment Management Hub service on multi‑server PeopleSoft installations, or remove the PSEMHUB application on single‑server setups. If neither is possible, block external access at the perimeter to /PSEMHUB/* (especially /PSEMHUB/hub) and to /PSIGW/HttpListeningConnector. Oracle points administrators to a patch‑availability document behind a support login; whether a full fix is broadly available remained unclear in the advisory, so current guidance emphasizes mitigation and patch application once the update is visible in My Oracle Support.
Mandiant warns that WAF body‑inspection rules alone are insufficient because they can be bypassed. It also lays out hunt steps for compromised hosts: check WebLogic access logs for external POSTs to /PSEMHUB/hub or /PSIGW/HttpListeningConnector; look for unexpected .jsp files under PSEMHUB.war or unfamiliar folders named logs, persistantstorage, or scratchpad under PSEMHUB paths; inspect recently changed .xml files under envmetadata/data/environment for XMLDecoder persistence that will execute at restart; and watch for outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, which attackers may use to capture machine‑account NetNTLM hashes.
What this means for security teams, universities, and procurement leaders
- Security teams: Immediately confirm whether PSEMHUB endpoints are externally reachable and apply Oracle’s mitigation steps — disable or remove the hub, or block /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter — and follow Mandiant’s hunt list for signs of prior compromise.
- Universities and affected enterprises: Expect targeted outreach by the extortion group; prioritize log reviews, network egress monitoring for SSH and SMB anomalies, and forensic steps where marker files or odd artifacts (including README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) are present.
- Procurement and operations leaders: Note the shift highlighted by Mandiant — ShinyHunters has moved from vishing and cloud/SaaS access weaknesses to exploiting an on‑premises ERP zero‑day — and factor on‑prem ERP exposure and rapid patching or segmentation into vendor risk assessments.
The immediate, concrete tasks are simple and urgent: lock down PSEMHUB endpoints, hunt for the artifact markers and altered files Mandiant described, and apply Oracle’s update when it appears in My Oracle Support. The broader question the campaign raises — whether this is a single borrowed zero‑day or the start of a deliberate move by ShinyHunters into ERP exploitation — remains open as other victims and disclosures emerge.
https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
