Nissan Americas Employee Data Breach Analysis: Oracle PeopleSoft Zero-Day (CVE-2026-35273) Exploitation and Supply Chain Risks – Rescana
Publish Date: 2026-06-30 04:48:00
Source Domain: www.rescana.com
Executive Summary
On June 25, 2026, Nissan Americas disclosed a data breach affecting current and former employees, linked to exploitation of a zero-day vulnerability in Oracle PeopleSoft software. The breach, which occurred between May 27 and June 9, 2026, was facilitated by attackers exploiting CVE-2026-35273, a critical Server-Side Request Forgery (SSRF) vulnerability in Oracle PeopleSoft PeopleTools. The incident resulted in unauthorized access to sensitive employee data, including contact information, banking details, Social Security numbers, and tax records. The ShinyHunters extortion group claimed responsibility, and technical analysis by Mandiant confirmed the use of the zero-day vulnerability. Nissan has engaged external cybersecurity experts, secured affected systems, and is working with Oracle to investigate and remediate the breach. The company is offering credit and dark web monitoring to affected individuals and has notified regulatory authorities as required. The breach underscores the risks associated with third-party enterprise software and has sector-wide implications for supply chain security and regulatory compliance.
Technical Information
The breach at Nissan Americas was enabled by exploitation of CVE-2026-35273, a critical SSRF vulnerability in Oracle PeopleSoft PeopleTools. This vulnerability allows unauthenticated remote code execution (RCE) via the Updates Environment Management component, specifically targeting exposed /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints. Attackers conducted automated scanning to identify vulnerable endpoints and exploited them to gain initial access.
Once inside, the attackers deployed MeshCentral, a legitimate open-source remote management tool, to maintain persistent access. The MeshCentral agents were disguised as Microsoft Azure services to evade detection. No custom malware was identified in public reporting; persistence was achieved primarily through MeshCentral.
The attack chain mapped to…
