ShinyHunters Exploits PeopleSoft Zero-Day CVE-2026-35273
CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability (CVSS 9.8) in Oracle PeopleSoft PeopleTools’ Environment Management Hub. The threat actor ShinyHunters exploited it as a zero-day between May 27 and June 9, 2026 — two weeks before Oracle’s advisory — compromising over 100 organizations, 68% in higher education. Immediate action: disable the PSEMHUB endpoint externally and apply Oracle’s patch for PeopleTools 8.61 and 8.62.
Zero-Day Exploited Before the Advisory
Mandiant and Google Threat Intelligence Group (GTIG) identified an active compromise and extortion campaign attributed to the threat actor known as ShinyHunters (tracked internally as UNC6240), targeting Oracle PeopleSoft application infrastructure. The campaign unfolded between May 27 and June 9, 2026 — a full two weeks before Oracle published its security advisory on June 10. That makes CVE-2026-35273 a genuine zero-day in the field, not a patch-gap exploit — part of a broader wave of critical exploits defining 2026’s threat landscape. ShinyHunters weaponized the flaw in the Environment Management component of PeopleSoft PeopleTools, achieved unauthenticated remote code execution (CVSS 9.8), and pivoted into data theft operations targeting over 100 organizations globally. 68% of those organizations were in the higher education sector, according to Mandiant’s threat intelligence report.
CVE-2026-35273: Technical Breakdown
CVE-2026-35273 is an unauthenticated remote code execution vulnerability in the Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. The flaw affects supported versions 8.61 and 8.62, and likely impacts earlier versions as well, though Oracle has not formally tested unsupported releases. The vulnerability was reported to Oracle by Bobby Gould and Lucas Miller of TrendAI Research and the Zero Day Initiative, with additional credit to Minh Giang, as noted in Oracle’s official Security Alert.
The attack surface centers on the PeopleSoft Environment Management Hub (PSEMHUB) endpoint. Because the flaw requires no authentication and exists in an administrative component that is often inadvertently exposed to the internet, the CVSS 3.1 base score of 9.8 reflects the worst-case scenario: complete confidentiality, integrity, and availability compromise through a single HTTP request. This is the same class of unauthenticated RCE we saw in the Ivanti Sentry CVE-2026-10520 — administrative endpoints left internet-exposed, weaponized within days.
The National Vulnerability Database entry for CVE-2026-35273 classifies it under the “Updates Environment Management” component, confirming that the exploitation path targets the EMHub service specifically — not the broader PeopleSoft Internet Architecture that end users interact with.
Why ShinyHunters Targeted Education
ShinyHunters is not a newcomer. The group’s track record includes the 2020 Microsoft GitHub exfiltration (over 500 GB of source code), the July 2025 Qantas breach exposing 5.7 million customer records, and a string of high-profile data dumps from platforms including AT&T, LinkedIn, and Dropbox, as documented by Picus Security’s threat database.
The education sector is an attractive target for several converging reasons. Universities run large, complex ERP installations that are difficult to patch on schedule. Their PeopleSoft environments manage student records, financial aid, payroll, and research data — all high-value for extortion. Budget-constrained IT teams often lack dedicated application security staff, and perimeter controls on legacy ERP administrative endpoints are frequently misconfigured. Mandiant’s notification campaign reached over 100 exposed organizations, the majority based in the United States, with a heavy concentration in colleges and universities.
Inside the Exploitation Chain
The attack chain follows a methodical progression from initial compromise to data exfiltration. Each step was logged in an exposed .bash_history file on the attacker’s staging servers — an operational security failure that gave Mandiant a full timeline of the campaign.
Stage 1: C2 Infrastructure Setup
On May 27, 2026, at 22:14 UTC, ShinyHunters deployed MeshCentral version 1.1.59 as their command-and-control framework. Eleven minutes later, they installed the acme-client npm package to automate Let’s Encrypt certificate provisioning for a masquerade domain: azurenetfiles.net. The domain was deliberately chosen to mimic Microsoft Azure NetApp Files, a common enterprise storage service. Pre-configured Windows MeshCentral agent binaries — named meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe — were compiled to communicate back to wss://azurenetfiles.net:443/agent.ashx.
Stage 2: Internal Reconnaissance
Using the MeshCentral CLI utility meshctrl.js, the attackers mapped compromised networks systematically. They extracted machine names and IP addresses from PeopleSoft’s process scheduler configuration (psappsrv.cfg), audited NFS mounts and network configurations, parsed internal host tables, and inspected WebLogic XML configurations to map application server topology.
Stage 3: Lateral Movement
The attackers deployed a propagation script named [victim_abbreviation]_fanout.sh via heredoc to /tmp on compromised hosts. This script automated SSH credential spraying against internal hosts parsed from /etc/hosts, cycling through hardcoded lists of administrative and application-specific usernames and passwords. Upon successful authentication, the script copied a defacement and extortion marker — README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT — into WebLogic and Process Scheduler directories. The script also attempted key-based SSH fallback when password spraying failed.
Stage 4: Exfiltration and Extortion
Stolen data was compressed using zstd (pv -s ... | zstd -3 -T0 -o exfil.tar.zst) and transferred via outbound SSH to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters Data Leak Site. On June 9, 2026, the stolen archives appeared on the DLS, completing the extortion cycle. Help Net Security reported that Oracle had not yet confirmed active exploitation at the time of their coverage.
Indicators of Compromise
Mandiant published a comprehensive IOC set alongside their analysis. The following table consolidates the highest-priority network and host indicators for immediate hunting.
| Type | Indicator | Context |
|---|---|---|
| C2 Domain | azurenetfiles.net | Mimics Azure NetApp Files; MeshCentral agent endpoint |
| Staging IP | 142.11.200.186–190 | Five sequential IPs hosting Python HTTP servers on port 8888 |
| DLS Mirror IP | 176.120.22.24 | Hosts the public ShinyHunters DLS mirror; SSH exfil target |
| Defacement File | README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Copied to WebLogic and Process Scheduler directories |
| Propagation Script | [prefix]_fanout.sh | SSH credential spraying tool; typically in /tmp |
| Binary | meshagent64-azure-ops.exe | SHA-256: f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc |
| Binary | meshagent64-v2.exe | SHA-256: d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f |
| Binary | meshagent32-azure-ops.exe | SHA-256: c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f |
Remediation and Hardening Playbook
Oracle’s advisory and Mandiant’s recommendations converge on a set of concrete actions. The priority order matters — disable the vulnerable surface first, then hunt for compromise.
1. Disable or Restrict the EMHub Surface
In multi-server configurations, disable the Environment Management Hub (EMHub) service entirely. In single-server configurations, remove the PSEMHUB application. If business requirements prevent full removal, block external network access to /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Mandiant explicitly warns that WAF body-inspection rules alone are insufficient and can be bypassed — use network-level controls.
This restriction is considered non-breaking for standard end-user operations. The EMHub and Integration Broker Listening Connector are administrative or system-to-system components, not required for core PeopleSoft Internet Architecture browser sessions.
2. Apply the Oracle Patch
Oracle has released patches for supported PeopleTools versions through the Security Alert program. Organizations on versions 8.61 or 8.62 should apply the patch immediately. Customers on unsupported versions must upgrade to a supported release to receive the fix.
3. Audit Access Logs
Review the PIA WebLogic access log for HTTP POST requests targeting /PSEMHUB/hub and /PSIGW/HttpListeningConnector from external or untrusted IP addresses. Also analyze requests to the HttpListeningConnector for loopback addresses (127.0.0.1, localhost, ::1) or internal IP ranges in request headers — a common SSRF technique used to bypass access controls.
Detection Strategy Beyond Patching
Patching closes the hole, but detection answers the harder question: was your environment already compromised? The following checks form a practical triage sequence.
- Webshell detection: Scan
<PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/for any.jspfiles not part of the shipped product. Every unexpected JSP is a candidate webshell. - Unauthorized staging: Inspect
.../PSEMHUB.war/envmetadata/transactions/for unexpected folders, files, or binary drops. Look for directories namedlogs,persistantstorage, orscratchpadunder PSEMHUB paths. - XMLDecoder persistence: Check
<docroot>/envmetadata/data/environment/for recently created or modified.xmlfiles. These can be leveraged to execute code via XMLDecoder upon application restart — a persistence mechanism that survives reboots. - Outbound SMB monitoring: Monitor outbound firewall logs and NetFlow data for SMB traffic (TCP 445) originating from PeopleSoft hosts to untrusted external destinations. The exploit chain may coerce systems into outbound connections to capture Windows machine-account NetNTLM hashes.
Google Security Operations has deployed detection rules under the Mandiant Frontline Threats rule pack, covering Oracle PeopleSoft configuration inspection, suspicious JSP writes to PSEMHUB, sshpass-based file deployment, zstd compression activity, and MeshCentral command execution patterns.
The Bigger Picture for ERP Security
This campaign exposes a systemic blind spot in enterprise security. Organizations invest heavily in endpoint detection, identity monitoring, and cloud workload protection, but legacy ERP platforms — PeopleSoft, SAP, Oracle E-Business Suite — frequently run with administrative endpoints exposed to the internet, minimal logging, and patch cycles measured in quarters rather than days.
ShinyHunters exploited exactly this gap. The PSEMHUB component should never have been reachable from the public internet, yet Mandiant found over 100 exposed instances — the same pattern of exposed administrative surfaces that turned the Next.js pre-auth RCE into a mass-exploitation event earlier this year. The fact that 68% of those belonged to educational institutions highlights the disparity between the sensitivity of the data these systems hold and the security posture protecting them.
The takeaway for security leaders is structural: legacy ERP systems need the same attack surface management discipline applied to cloud-native infrastructure. That means continuous external attack surface scanning, network segmentation of administrative endpoints, and threat-informed detection rules mapped to the specific components these platforms expose. Oracle will issue patches; attackers will find the next unpatched PSEMHUB. The question is whether your team finds it first.
References
- Mandiant / Google Threat Intelligence — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
- Oracle Security Alert Advisory — CVE-2026-35273
- NVD — CVE-2026-35273 Detail
- Help Net Security — Oracle PeopleSoft servers under attack
- eSentire — Oracle PeopleSoft Zero-Day Vulnerability Exploited by ShinyHunters
- Picus Security — Defending Against ShinyHunters: Tactics and Breaches