AIO APEX
Security

ShinyHunters Exploited CVE-2026-35273 for Two Weeks Before Oracle Issued a Patch, Breaching 100+ Organizations

The Hacker News
Share:
ShinyHunters Exploited CVE-2026-35273 for Two Weeks Before Oracle Issued a Patch, Breaching 100+ Organizations

Two Weeks, No Patch, 100+ Victims: Oracle PeopleSoft Zero-Day Became ShinyHunters' Most Destructive Campaign Yet

From May 27 to June 9, 2026, the ShinyHunters group — tracked by Google's Mandiant team as UNC6240 — quietly moved through PeopleSoft deployments at universities and colleges across the United States and beyond. Oracle did not publish an out-of-band advisory for the underlying vulnerability, CVE-2026-35273, until June 10. Every breach in that window happened against a zero-day with no available fix.

The vulnerability carries a CVSS score of 9.8 out of 10. It is an unauthenticated Server-Side Request Forgery (SSRF) flaw in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, and researchers believe earlier unsupported releases are equally exposed. No credentials are required to trigger it — an attacker with nothing more than network access over HTTP can reach the affected endpoints and escalate toward Remote Code Execution.

What Was Exploited and How

The vulnerable component is PeopleSoft's Environment Management Hub, known as PSEMHUB. Two specific endpoints were targeted: /PSEMHUB/hub and /PSIGW/HttpListeningConnector. Because these interfaces are sometimes left internet-facing for administrative convenience, ShinyHunters was able to probe and compromise them at scale without any prior foothold inside victim networks.

Once inside, the group established persistence through a command-and-control server at azurenetfiles.net — a domain crafted to blend in with legitimate Azure NetApp Files infrastructure. Lateral movement was automated via victim-specific shell scripts following the naming pattern [victim]_fanout.sh. Compromised PeopleSoft directories received a calling card: a plaintext file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.

Mandiant has noted that this attack marks a tactical evolution for ShinyHunters. The group built its reputation on vishing campaigns and OAuth token theft — methods that depend on manipulating people. Weaponizing an unpatched server-side vulnerability in widely deployed on-premises ERP software is a different category of capability, and it produced correspondingly larger results.

Scale and Confirmed Damage

By the time Oracle's advisory went live, more than 100 organizations had been compromised across 300+ PeopleSoft instances. The sectoral breakdown is striking: 68 percent of victims are in higher education, predominantly US colleges and universities. PeopleSoft remains deeply embedded in university HR, student records, and financial systems — a combination that made these institutions both high-value targets and high-impact victims.

The University of Nottingham confirmed a breach. Have I Been Pwned logged 455,000 unique email addresses from the leaked data, with records including names, postal addresses, phone numbers, passport numbers, ethnicity, and disability information. The sensitivity of that dataset — spanning categories protected under GDPR and equivalent statutes — means affected individuals face elevated risks of identity fraud and targeted phishing for years to come.

ShinyHunters has stated publicly that victim outreach is only beginning. Additional organizations should expect to be named as the group moves through its extortion pipeline.

CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) catalog on June 12, two days after Oracle's advisory. Federal agencies under CISA's directive are required to remediate on an accelerated timeline, but the KEV listing also serves as a formal signal to the broader sector that exploitation is confirmed and active.

What Defenders Must Do Now

Oracle has issued a patch. Apply it immediately. For organizations that cannot patch right now, two interim mitigations are available:

  • Disable the PSEMHUB service entirely if it is not operationally required. This removes the attack surface at its root.
  • Block external access at the network perimeter to the paths /PSEMHUB/* and /PSIGW/HttpListeningConnector. Do not route these endpoints to the public internet under any circumstances.

Mandiant has explicitly warned that WAF body-inspection rules alone are not sufficient to block exploitation of this vulnerability. Organizations that have deployed web application firewalls as their primary control and have not taken the steps above should treat themselves as unprotected until they do.

Beyond patching and access controls, defenders should hunt for the known indicators of compromise in their environments:

  • Outbound connections or DNS lookups to azurenetfiles.net
  • Shell scripts on PeopleSoft hosts matching the [victim]_fanout.sh naming pattern
  • Presence of README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in any PeopleSoft directory
  • Unusual HTTP requests to the PSEMHUB or PSIGW endpoints in web and application server logs

Given that the exploitation window opened May 27, any organization running an internet-accessible PeopleSoft instance on versions 8.61 or 8.62 during that period should conduct a full incident response review regardless of whether they have observed indicators. Absence of a README file is not confirmation of a clean environment — it means ShinyHunters may not have gotten to the extortion stage yet.

The combination of a near-perfect CVSS score, no authentication requirement, and a two-week head start over defenders makes CVE-2026-35273 one of the most consequential enterprise vulnerabilities of 2026. The window for preventive action has closed. The window for containment and response is open now.

zero-daydata-breachshinyhuntersoraclepeoplesoftcve-2026-35273

Originally reported by The Hacker News. Read the original article for additional details.

View original source
Share: