ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities, Mandiant Reports

The ShinyHunters extortion group exploited an unpatched Oracle PeopleSoft vulnerability, CVE-2026-35273, to break into enterprise systems and steal data. The campaign, active between May 27 and June 9, 2026, hit universities hardest, with the University of Nottingham among the first confirmed victims.

The flaw is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10 on the CVSS scale. It requires no authentication and no user interaction, only network access over HTTP to the Environment Management Hub (PSEMHUB) component. Oracle published its advisory on June 10, making the bug a zero-day for the entire attack window.

Attackers Left Infrastructure Exposed

Mandiant, tracking the group as UNC6240, identified the attack infrastructure after researcher @nahamike01 publicly flagged open directories. Mandiant found five sequential IP addresses running Python's SimpleHTTP server on port 8888. Those servers exposed staging files including a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script named [victim]_fanout.sh. The script spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories.

• CVE-2026-35273 affects PeopleTools 8.61 and 8.62; earlier unsupported versions are likely also vulnerable.
• Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. 68 percent were in higher education, most in the United States.
• Have I Been Pwned counted about 455,000 unique email addresses in the leaked set from the University of Nottingham alone, including names, addresses, passport numbers, and details on ethnicity and disabilities.
• The group claims to have compromised over 100 organizations but has only posted a fraction of the data so far.

Mitigations and the Shift in ShinyHunters' Tactics

Oracle's guidance is to disable the Environment Management Hub service on multi-server setups or remove the PSEMHUB application on single-server setups. If that is not possible, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter. Mandiant warns that WAF body-inspection rules alone are not sufficient because they can be bypassed. Restricting these endpoints does not break normal user sessions. The group should also hunt for signs of compromise: unexpected .jsp files under the PSEMHUB.war directory, odd folders named logs or persistantstorage, or recently changed .xml files under the web doc root's envmetadata/data/environment.

ShinyHunters has previously relied on vishing, stolen tokens, and weak access controls to breach SaaS and education platforms. The use of a server-side zero-day in on-premises ERP software marks a notable escalation. The open question is whether this was a one-off borrowed exploit or the beginning of ShinyHunters moving into ERP exploitation. With more victim data expected to surface, organizations running Oracle PeopleSoft should treat this as an active threat and apply Oracle's update once it is available through My Oracle Support.