ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The ShinyHunters extortion group exploited an unpatched Oracle PeopleSoft zero-day (CVE-2026-35273) to breach universities and other organizations between May 27 and June 9, stealing data and demanding ransom. The University of Nottingham confirmed a breach affecting 455,000 unique email addresses, including sensitive personal details, while Oracle released mitigation guidance after the flaw was publicly disclosed.
A cybersecurity group known as ShinyHunters exploited an unpatched zero-day vulnerability in Oracle PeopleSoft to breach multiple organizations, primarily targeting universities. The flaw, identified as CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools with a severity rating of 9.8 out of 10. It requires no login or user interaction, only network access over HTTP to compromise servers with the Environment Management Hub exposed externally. Google’s Mandiant threat intelligence team linked the attacks to the group it tracks as UNC6240, with activity detected between May 27 and June 9. Oracle did not publish its advisory until June 10, meaning the vulnerability was actively exploited as a zero-day. The affected versions include PeopleTools 8.61 and 8.62, though earlier unsupported versions may also be vulnerable. Oracle credited TrendAI Zero Day Initiative and TrendAI Research for reporting the flaw. The breach was exposed when attackers left staging files publicly accessible, including custom remote-management tools disguised as Microsoft Azure binaries and lateral-movement scripts. These tools connected to a command-and-control server at azurenetfiles.net, a domain mimicking Azure NetApp Files. Mandiant identified five sequential IP addresses running Python’s SimpleHTTP server, which contained evidence of data exfiltration, including compressed files and connections to ShinyHunters’ leak site. Mandiant warned over 100 organizations with exposed endpoints, with 68% of them in higher education, mostly in the United States. Some institutions blocked the activity, while others were compromised, leading to data leaks. The University of Nottingham confirmed a breach affecting 455,000 unique email addresses, including names, addresses, phone numbers, passport details, and sensitive personal information about students and alumni. Oracle’s mitigation advice includes disabling the Environment Management Hub service on multi-server setups or removing the PSEMHUB application entirely on single-server setups. If neither is feasible, organizations should block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter. Mandiant cautioned that Web Application Firewall (WAF) rules alone may not suffice, as they can be bypassed, and urged organizations to hunt for signs of compromise, such as unusual WebLogic access logs or suspicious lateral movement scripts.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.