What is CVE-2026-35273 and how severe is it?

CVE-2026-35273 is a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. It has a CVSS score of 9.8 out of 10. It requires no authentication and no user interaction — only network access over HTTP. Affected versions include PeopleTools 8.61 and 8.62, and Oracle says earlier unsupported versions are likely vulnerable too.

Which organizations were affected by the ShinyHunters PeopleSoft campaign?

ShinyHunters claims to have compromised more than 100 organizations and approximately 300 systems. Sixty-eight percent of victims were in higher education, most in the United States. The University of Nottingham is one confirmed victim, with about 455,000 unique email addresses exposed in the leaked dataset.

Was CVE-2026-35273 a zero-day when ShinyHunters exploited it?

Yes. The campaign ran from May 27 to June 9, 2026. Oracle did not publish its security advisory until June 10, 2026, meaning the flaw was unpatched and publicly unknown for the entire duration of the attacks.

What data was stolen in the University of Nottingham breach?

Have I Been Pwned counted about 455,000 unique email addresses in the leaked set. The data covers current students and alumni and includes names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.

How can organizations detect if they were already compromised?

Administrators should check WebLogic access logs for external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector, look for unexpected .jsp files under the PSEMHUB.war directory, check for recently changed .xml files under envmetadata/data/environment, and monitor for outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations.

ShinyHunters Exploits Oracle PeopleSoft Zero-Day

The ShinyHunters group exploited an unpatched Oracle PeopleSoft flaw rated 9.8 to breach 100+ organizations, targeting universities and stealing sensitive student and alumni data.

What happened with the Oracle PeopleSoft zero-day attack?

ShinyHunters exploited CVE-2026-35273, a critical unpatched flaw in Oracle PeopleSoft, to breach more than 100 organizations between May 27 and June 9, 2026. Oracle did not publish its advisory until June 10, meaning the bug was a zero-day for the entire campaign. Google's Mandiant attributes the activity to the group it tracks as UNC6240, according to The Hacker News.

What is CVE-2026-35273?

CVE-2026-35273 is a remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools — the application framework that underpins PeopleSoft ERP deployments. It carries a CVSS score of 9.8 out of 10. It requires no login and no user interaction. An attacker needs only network access over HTTP to take over the server.

The flaw sits in the Updates Environment Management component, which powers the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools versions 8.61 and 8.62 as affected and notes that earlier, unsupported versions are likely vulnerable too.

Who did ShinyHunters target?

Sixty-eight percent of the more than 100 notified organizations were in higher education, most of them in the United States. ShinyHunters claims compromise of approximately 300 systems across cloud and on-premises environments, per Field Effect's analysis.

Anthropic SEC IPO Filing: Revenue Dispute With OpenAI

Jeff Bezos: AI Will Cause Labor Scarcity, Not Job Loss

Nvidia Vera CPU: China Sales Pitch, Pricing, and Market Impact

Coinbase Launches Agentic.market for AI Agents

PeopleSoft is an enterprise resource planning (ERP) platform used to manage sensitive data across finance, human resources, supply chain, and academic administration. That concentration of high-value data made it a primary target. Reported stolen data includes student records, financial aid data, health information, and administrative data.

What happened at the University of Nottingham?

The University of Nottingham is one of the first confirmed victims. Have I Been Pwned counted about 455,000 unique email addresses in the leaked dataset. The records cover current students and alumni and include names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.

How did ShinyHunters operate?

The attackers left their own infrastructure exposed. Researcher @nahamike01 publicly flagged open directories. Mandiant then identified five sequential IP addresses running Python's SimpleHTTP server on port 8888.

Those servers exposed staging files: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script. The agents called home to a command-and-control server at azurenetfiles.net, a domain chosen to resemble Azure NetApp Files.

A script named [victim]_fanout.sh spread over SSH by spraying hardcoded usernames and passwords against internal hosts pulled from /etc/hosts. It then dropped a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. Stolen data was compressed with zstd and sent out over SSH to a server hosting the ShinyHunters leak site mirror.

What should PeopleSoft administrators do right now?

Oracle's guidance is to disable the Environment Management Hub service on multi-server setups, or remove the PSEMHUB application on single-server setups. If neither is possible, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter.

Mandiant warns that WAF body-inspection rules alone are not sufficient, as they can be bypassed. Restricting these endpoints does not break normal user sessions.

Administrators should also hunt for signs of existing compromise, including:

External POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector in WebLogic access logs
Unexpected .jsp files under the PSEMHUB.war directory
Recently changed .xml files under envmetadata/data/environment, which can be abused for XMLDecoder persistence
Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations

Once Oracle's patch is confirmed available in My Oracle Support for your PeopleTools version, apply it. Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild. Oracle has not stated whether it has independently observed exploitation.

ShinyHunters has stated that victim outreach has only just started and that it has not yet posted data for most of the organizations it claims to have compromised.

Frequently asked questions

What is CVE-2026-35273 and how severe is it?: CVE-2026-35273 is a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. It has a CVSS score of 9.8 out of 10. It requires no authentication and no user interaction — only network access over HTTP. Affected versions include PeopleTools 8.61 and 8.62, and Oracle says earlier unsupported versions are likely vulnerable too.
Which organizations were affected by the ShinyHunters PeopleSoft campaign?: ShinyHunters claims to have compromised more than 100 organizations and approximately 300 systems. Sixty-eight percent of victims were in higher education, most in the United States. The University of Nottingham is one confirmed victim, with about 455,000 unique email addresses exposed in the leaked dataset.
Was CVE-2026-35273 a zero-day when ShinyHunters exploited it?: Yes. The campaign ran from May 27 to June 9, 2026. Oracle did not publish its security advisory until June 10, 2026, meaning the flaw was unpatched and publicly unknown for the entire duration of the attacks.
What data was stolen in the University of Nottingham breach?: Have I Been Pwned counted about 455,000 unique email addresses in the leaked set. The data covers current students and alumni and includes names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach.
How can organizations detect if they were already compromised?: Administrators should check WebLogic access logs for external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector, look for unexpected .jsp files under the PSEMHUB.war directory, check for recently changed .xml files under envmetadata/data/environment, and monitor for outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations.

Sources

according to The Hacker News thehackernews.com
per Field Effect's analysis fieldeffect.com

Keep reading

Google Signs Secret Pentagon AI Deal, Director Quits

TSMC CEO Rules Out Memory-Style Price Spikes

US Deficit Hits $2 Trillion in FY2026

Bezos Launches Prometheus AI at $41B Valuation

0 Comments

Not a member yet? Join the community