ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
Publish Date: 2026-06-11 16:29:00
Source Domain: thehackernews.com
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest.
Google’s Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.
The flaw, CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It needs no login and no user interaction, just network access over HTTP, to take over the server. If you run PeopleSoft with the Environment Management Hub reachable from outside, that is your exposure, and the immediate move is to lock those endpoints down.
The vulnerability sits in the Updates Environment Management component, the piece behind the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools 8.61 and 8.62 as affected and says earlier, unsupported versions are probably vulnerable too. It credits researchers from TrendAI Zero Day Initiative and TrendAI Research for the report.
Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild; Oracle has not said whether it has seen exploitation. Its advisory points to a patch availability document behind a support login, and whether a full fix is broadly available is unclear. For now, the guidance centers on mitigation.
The operational detail became public because the attackers left their own gear exposed. Researcher @nahamike01 publicly flagged the open directories. Mandiant then triaged five sequential IP addresses running Python’s SimpleHTTP server on port 8888. Those servers exposed the staging files: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script.
The agents called home to a command-and-control…
