Oracle PeopleSoft Zero-Day Exploited by ShinyHunters to Target Universities and Enterprises

What happened and why it matters

A previously unknown vulnerability in Oracle PeopleSoft allowed unauthenticated attackers to execute code on servers running PeopleTools 8.61 and 8.62, and likely earlier versions. The flaw, tracked as CVE-2026-35273 with a CVSS score of 9.8, requires only network access over HTTP and no user interaction. This makes it especially dangerous for any organization exposing the PeopleSoft Environment Management Hub (PSEMHUB) to the internet. Between May 27 and June 9, the ShinyHunters extortion crew—identified by Mandiant as UNC6240—leveraged the bug to breach multiple enterprises, with universities disproportionately affected. Oracle issued its public advisory only on June 10, meaning the vulnerability was a zero-day during the entire attack window.

The implications are immediate and broad. PeopleSoft is widely used in higher education and large enterprises for student information systems, human resources, and financial management. When an attacker can gain full control of a PeopleSoft server without credentials, the risk extends to sensitive personal data, intellectual property, and operational disruption. The fact that ShinyHunters used the flaw to exfiltrate data and demand payment underscores the real-world impact of unpatched enterprise software. Organizations that delayed patching or failed to restrict access to PSEMHUB now face both data loss and extortion risk.

How the attack unfolded in the wild

Investigators reconstructed the attack chain after researchers discovered exposed staging infrastructure. Attackers deployed custom remote management agents disguised as Microsoft Azure binaries, hosted on servers running Python’s SimpleHTTP server on port 8888. Five sequential IP addresses were observed serving these files, alongside shared .bash_history logs and lateral-movement scripts. The naming of the command-and-control domain—azurenetfiles.net—was intended to mimic Azure NetApp Files, a common cloud storage service, likely to evade detection by blending in with legitimate traffic.

Once inside, the threat actor used a script named [victim]_fanout.sh to spread laterally across internal networks. The script brute-forced SSH credentials using a hardcoded list of usernames and passwords, pulling target hosts from /etc/hosts. After gaining access, it dropped a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in PeopleSoft directories, a clear sign of compromise. Data was compressed using zstd and exfiltrated via SSH to a server linked to the public mirror of the ShinyHunters leak site. This operational footprint reveals a methodical, multi-stage intrusion designed to maximize data theft while minimizing noise.

Why PeopleSoft environments are prime targets

PeopleSoft’s Environment Management Hub is often exposed to the internet to enable remote administration, software updates, and patching. However, this convenience creates a direct path into the application stack. The vulnerability resides in the Updates Environment Management component, which handles environment provisioning and configuration. If that endpoint is reachable from outside the network, attackers can send crafted requests to execute arbitrary code with the privileges of the PeopleSoft service account—typically high within the application tier.

Universities are particularly exposed because they often rely on legacy PeopleSoft versions and maintain open network policies to support distance learning and distributed campuses. Large enterprises also run complex PeopleSoft deployments with numerous integrations, increasing the attack surface. The combination of high-value data, decentralized IT environments, and external-facing management interfaces makes these systems attractive to extortion-focused groups like ShinyHunters.

The role of Mandiant and threat attribution

Mandiant linked the campaign to UNC6240, a known extortion group tracked by its analysts. The firm confirmed active exploitation of CVE-2026-35273 in the wild and provided detailed IOCs, including IP addresses, domains, and file hashes. While Oracle acknowledged the issue in its advisory, it did not publicly confirm observed exploitation, and its patch availability notice remains behind a support login, limiting transparency for non-customers. This opacity can delay remediation, especially for organizations without direct access to Oracle’s support portal.

The attribution process relied on forensic analysis of exposed attacker infrastructure and malware artifacts. The use of disguised Azure binaries, zstd compression, and SSH exfiltration reflects techniques previously associated with ShinyHunters. This consistency helps defenders correlate new incidents with known threat actor playbooks and prioritize response efforts accordingly.

Oracle’s response and current patch status

Oracle released its public advisory on June 10, confirming PeopleTools 8.61 and 8.62 as affected and noting that earlier, unsupported versions are likely vulnerable as well. The company credited TrendAI Zero Day Initiative and TrendAI Research for reporting the issue, highlighting the role of third-party research in vulnerability discovery. However, the advisory points to a patch availability document behind a My Oracle Support login, which restricts access to customers with active support contracts.

For organizations without immediate patch access, Oracle’s guidance emphasizes mitigation. The most urgent action is to restrict external access to the PSEMHUB endpoint. Network segmentation, firewall rules, and VPN enforcement can reduce exposure while patches are tested and applied. Given the severity and ease of exploitation, delaying mitigation increases the risk of compromise significantly.

What defenders should do right now

The first step is to audit all PeopleSoft environments for exposed PSEMHUB endpoints. Use network scans to detect HTTP(S) services on the default ports associated with PeopleTools and PeopleSoft Update Manager. Confirm whether these endpoints are reachable from the internet or any untrusted network. If they are, implement immediate access controls: restrict source IPs, require VPN authentication, or disable external access entirely until patching is complete.

Next, review authentication and authorization policies for PeopleSoft services. Enforce multi-factor authentication for all administrative interfaces and disable default or shared credentials. Monitor for signs of lateral movement, such as SSH brute-force attempts or the presence of README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT files in application directories. Mandiant’s IOCs provide a starting point for detection, including domains, IPs, and file names used in this campaign.

Finally, prepare an incident response plan tailored to PeopleSoft breaches. This includes isolating compromised servers, revoking session tokens, and conducting a forensic review of affected systems. Given the risk of data exfiltration and extortion, early containment is critical to limiting damage.

Long-term implications for enterprise software security

The ShinyHunters incident highlights systemic risks in enterprise software supply chains. When a single vendor’s platform—used across industries—contains a critical, pre-authentication flaw, the blast radius can be enormous. Organizations must treat third-party software as part of their attack surface and demand better visibility into patch availability and support timelines. Vendors, in turn, should accelerate public disclosure and provide clear, accessible mitigation guidance even before patches are broadly available.

The trend toward extortion-driven attacks means that even non-sensitive data can become a liability if stolen and weaponized. Universities and enterprises alike must assume that any unpatched system is a potential entry point. Moving forward, security teams should prioritize asset inventory, continuous monitoring, and rapid patching cycles—especially for externally facing management interfaces. The days of treating PeopleSoft as a “backend system” are over; it is now a frontline target for financially motivated attackers.

What to watch in the coming weeks

Watch for additional Oracle PeopleSoft advisories or emergency patches that address CVE-2026-35273 in older, unsupported versions. Many universities and organizations run PeopleTools releases that are no longer officially supported, creating a hidden risk. Vendors may release extended support patches or recommend upgrades to supported versions.

Also monitor threat intelligence feeds for new campaigns leveraging the same TTPs. The reuse of azurenetfiles.net, zstd compression, and SSH exfiltration could signal broader exploitation beyond the initial wave. Security teams should update detection rules and hunt for related artifacts across their environments.

Finally, expect regulatory scrutiny to increase, especially in education and healthcare sectors where PeopleSoft handles sensitive data. Incident reporting timelines may tighten, and regulators may question why known vulnerabilities were not patched promptly. Proactive communication with stakeholders and auditors will be essential to manage compliance and reputational risk.

Practical takeaways for readers

• Audit your PeopleSoft PSEMHUB endpoints for internet exposure. If reachable, restrict access immediately via firewall rules or VPN.
• Apply Oracle’s mitigation guidance while waiting for patches. Disable external access to management interfaces where possible.
• Monitor for lateral movement indicators, including SSH brute-force attempts and suspicious marker files in PeopleSoft directories.
• Review authentication policies for all PeopleSoft administrative interfaces. Enforce MFA and eliminate default credentials.
• Prepare an incident response plan for PeopleSoft breaches, including isolation, token revocation, and forensic review.
• Treat third-party enterprise software as part of your attack surface. Demand better transparency from vendors on patch availability and support timelines.