ShinyHunters Exploit Oracle PeopleSoft Zero-Day to Hit Universities

The ShinyHunters extortion group exploited a critical zero-day vulnerability in Oracle PeopleSoft to breach enterprise systems and steal sensitive data between May 27 and June 9, 2026, according to Google Mandiant researchers who track the cluster as UNC6240. The flaw, CVE-2026-35273, is a remote code execution bug in the PeopleSoft Enterprise PeopleTools "Updates Environment Management" component that backs the Environment Management Hub (PSEMHUB). Rated 9.8 out of 10 on the CVSS scale, it requires no authentication and no user interaction, only network access over HTTP, giving attackers full server control. Oracle published its advisory on June 10, after the active exploitation window had already closed, and has not confirmed whether it observed attacks in the wild. The company credits researchers from the TrendAI Zero Day Initiative and TrendAI Research for the report. PeopleTools 8.61 and 8.62 are confirmed vulnerable, with earlier unsupported versions likely affected as well.

Mandiant CTO Charles Carmakal confirmed the bug is being actively exploited. The attacker infrastructure was exposed after researcher @nahamike01 flagged open directories tied to the campaign. Mandiant triaged five sequential IP addresses running Python's SimpleHTTP server on port 8888, which exposed staging artifacts: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script. Those agents called home to a command-and-control server at azurenetfiles.net, a domain crafted to mimic Azure NetApp Files. The lateral-movement script, named [victim]_fanout.sh, brute-forced SSH credentials against internal hosts harvested from /etc/hosts and dropped a marker file called README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT inside PeopleSoft directories. Stolen data was compressed with zstd and exfiltrated over SSH to a server hosting the public mirror of the ShinyHunters leak site. Defenders can run a port scanner to verify whether their PSEMHUB endpoint is reachable from the public internet, and use a WHOIS lookup to inspect any Azure-themed domains showing up in their DNS logs.

The campaign's footprint skewed heavily toward academia. Mandiant notified more than 100 organizations whose IP addresses matched vulnerable PeopleSoft endpoints, and 68 percent of those were higher education institutions, most of them based in the United States. Some organizations blocked the activity, but others were compromised and had their data posted to the ShinyHunters leak site. The University of Nottingham is one of the first confirmed victims. Have I Been Pwned has tallied roughly 455,000 unique email addresses in the leaked dataset, covering current students and alumni and including names, postal addresses, phone numbers, and passport numbers. Defenders running PeopleSoft should immediately restrict the Environment Management Hub to internal networks, audit for the marker file, rotate any credentials that may have been exposed via SSH brute-forcing, and review outbound SSH and zstd activity. Students and staff who suspect they may be affected should verify their exposure with an email breach checker and rotate passwords for any accounts that shared credentials with the affected systems.