CVE-2026-35273 | CVSS 9.8 | Critical | Zero-Day | Active Exploitation
Overview
Oracle’s PeopleSoft enterprise platform has been the target of a large-scale, coordinated mass-compromise campaign carried out by the notorious cybercrime group ShinyHunters. The group exploited a zero-day vulnerability — CVE-2026-35273 — across more than 100 organisations globally, with universities and higher education institutions bearing the brunt of the attacks. Oracle published an out-of-band advisory and released mitigations on June 10, 2026, a day after the breach became public — confirming the vulnerability was a true zero-day for the entire duration of the campaign.
Vulnerability Details
CVE-2026-35273 carries a CVSS score of 9.8 and affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, with possibly earlier unsupported versions also impacted. The vulnerability type is remote code execution. It requires no authentication and no user interaction — the attack vector is purely network-based over HTTP. The vulnerable component is the Updates Environment Management module, specifically the Environment Management Hub (PSEMHUB). Oracle has released mitigations; a full patch is pending. This was a confirmed zero-day — exploited in the wild before Oracle’s disclosure.
CVE-2026-35273 resides in the Updates Environment Management component — the backend logic powering the Environment Management Hub (PSEMHUB). An unauthenticated attacker with network access over HTTP can send a crafted request to this component and achieve full remote code execution on the PeopleSoft server. No credentials. No user interaction. One HTTP request.
Oracle credited TrendAI Zero Day Initiative and TrendAI Research for responsible disclosure — however, ShinyHunters had already been exploiting this flaw in the wild since at least May 27, 2026.
Attack Campaign Timeline
ShinyHunters’ earliest confirmed exploitation activity dates to May 27, 2026 per Mandiant. Stolen data from unnamed organisations was staged at the /pay_or_leak endpoint on June 2 and 4. ShinyHunters’ claims first surfaced publicly on BleepingComputer on June 9. Oracle released its out-of-band advisory and mitigations on June 10, the same day Mandiant confirmed zero-day exploitation and began notifying 100+ organisations. By June 11, the University of Nottingham had confirmed its breach and Have I Been Pwned had ingested approximately 455,000 records from the leaked dataset.
Attack Chain
ShinyHunters chained CVE-2026-35273 with older known vulnerabilities to gain initial access and escalate within PeopleSoft environments. Post-exploitation followed a structured, scripted playbook:
Initial Access: Unauthenticated RCE via PSEMHUB endpoint over HTTP.
Lateral Movement: A purpose-built shell script — [victim]_fanout.sh — spread over SSH by spraying hardcoded username/password combinations against internal hosts sourced from /etc/hosts. This script was uniquely named per victim, indicating a semi-automated, targeted mass-compromise workflow.
Persistence Marker: A file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT was dropped into PeopleSoft directories across compromised infrastructure — serving simultaneously as a proof-of-access marker and an extortion trigger.
Exfiltration: Stolen data was compressed using zstd and transferred outbound via SSH to infrastructure hosting the ShinyHunters public leak site.
Extortion: Victims were directed to a /pay_or_leak endpoint. Organisations that did not comply had their data published.
Threat Actor Profile — ShinyHunters (UNC6240)
ShinyHunters is a prolific data theft and extortion group whose operational signature is mass exploitation of widely-deployed enterprise software. Their model is not targeted intrusion — it is scale: identify one high-value vulnerability, build automation around it, and sweep as many instances as reachable before a patch arrives. This campaign fits that pattern precisely.
Mandiant tracks the group as UNC6240. The group’s stated original objective for this campaign was to breach an FBI PeopleSoft server to publicly deny involvement in a swatting campaign the FBI had flagged — that attempt failed, but the broader campaign against commercial and academic targets proceeded regardless.
Scale & Impact
Mandiant confirmed breaches at over 100 organisations across 300 targeted PeopleSoft instances. 68% of victims were in the higher education sector, predominantly in the United States. The University of Nottingham is a confirmed named victim with 40 GB of personal data and billing records stolen. Have I Been Pwned has ingested approximately 455,000 unique email addresses from the leaked dataset.
Categories of data exfiltrated include full name, home address, phone number, email address, date of birth, gender, ethnicity, enrollment status, GPA, academic major, student ID, financial aid records, immigration records, health data, and administrative records.
Indicators of Compromise
Attacker Infrastructure IPs:142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24
Post-compromise artefacts:
- File:
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTin PeopleSoft directories - Script:
[victim]_fanout.sh— SSH lateral movement with hardcoded credential list - Endpoint:
/pay_or_leak— ShinyHunters staging and extortion portal
Detection Guidance
- Hunt for unexpected POST requests to PSEMHUB endpoints from external IP addresses
- Review SSH authorised_keys and bash history on PeopleSoft nodes for lateral movement indicators
- Search for
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTacross PeopleSoft directory trees - Block and alert on outbound SSH connections to the listed attacker IPs
- Review
/etc/hostson all PeopleSoft servers for signs of internal reconnaissance
Remediation
- Apply Oracle’s out-of-band mitigations immediately — available via Oracle Support portal (customer login required)
- Restrict access to the Environment Management Hub (PSEMHUB) — if not required externally, block at perimeter immediately
- Rotate all service account and administrative credentials on PeopleSoft nodes
- Apply the full patch when Oracle releases it — monitor Oracle’s patch availability document
- Cross-reference your organisation’s IP against Mandiant’s notification list if you have not already received outreach
