Loading...
INITIAL ACCESS · T1190 U. of Nottingham454,600 records · HIBP-indexed Wynn Resorts800,000 (attacker-claimed) Kodak2.2M (claimed) · "limited" Council of Europe297 GB published · 10k+ staffShinyHuntersMandiant: UNC6240 CVE-2026-35273CVSS 9.8 CRITICALCOMPROMISEDOracle PeopleSoft PeopleTools 8.61/8.62Unauth SSRF → XMLDecoder RCEACTIVE CAMPAIGNShinyHunters × Oracle PeopleSoft — Zero-Day Data Theft & Extortion29 June 2026
Executive Summary

A criminal extortion group known as ShinyHunters exploited a previously-unknown flaw in Oracle PeopleSoft — enterprise software widely used for HR, finance, payroll and records systems — to break into 100+ organisations between late May and early June 2026, steal sensitive data, and publish it online under a "pay-or-leak" model. The flaw allowed full remote takeover of the server without any login. Oracle released an emergency fix on 10 June 2026, but data already stolen cannot be recovered, and the campaign is ongoing.

Bottom line: If your organisation — or any of your vendors/partners — ran internet-facing Oracle PeopleSoft that wasn't patched before 10 June, treat it as potentially compromised.

Oracle PeopleSoft CVE-2026-35273 CVSS 9.8 ShinyHunters / UNC6240 Zero-Day Exploitation Higher Education T1190 – Exploit Public-Facing App T1219 – Remote Access Tools T1657 – Financial Extortion
CAMPAIGN — BY THE NUMBERS
100+
Organisations Notified
300
Instances Claimed ⚠️
68%
Higher Education
454K
Nottingham Records
297GB
Council of Europe Data
14 days
Zero-Day Window

Briefing

Are you exposed?

EXPOSURE CHECKLIST
1
Do you run Oracle PeopleSoft (PeopleTools 8.61 / 8.62)?
If it was internet-facing and unpatched before 10 June → high risk. Engage your security team immediately — patching alone is insufficient if the system was already reachable.
2
Do your vendors or suppliers use PeopleSoft?
Especially relevant for banks with large supplier ecosystems — a breached vendor can expose your data. Ask key vendors whether they were affected and have patched.
!
Sector note
About two-thirds of confirmed victims are universities, but the flaw affects any PeopleSoft user — finance, government, enterprise included.

Risk

Risk AreaDetail
Data exposure Confirmed leaks include names, addresses, DOB, passport numbers, ethnicity, disability data, and financial/payroll records.
Regulatory Breach-notification duties apply: UK/EU GDPR, US state laws, SEC Form 8-K materiality for listed firms.
Third-party / supply-chain Data shared with an affected vendor may now be exposed — assess key supplier relationships.
Fraud & phishing Stolen personal data (incl. passport numbers) enables convincing, targeted scams against staff and customers.

Confirmed impact

OrganisationStatusVolume
University of Nottingham ✅ Confirmed + data published ~454,600 people — incl. passport numbers, ethnicity, disability data
Council of Europe ✅ Confirmed — investigating 297 GB published, 10,000+ staff & contractors
Kodak ✅ Confirmed (limited) Company data — "no threat to operations" (org statement)
Wynn Resorts ⚠️ Attacker-claimed ~800,000 records

Attackers claim ~300 systems across 100+ organisations; most are not yet named — expect further disclosures.

Incident timeline

CVE-2026-35273 / ShinyHunters — Incident Timeline (2026) May 27 Zero-dayexploitation Jun 9 Data publishedon DLS Jun 10 Oracle OOB patchNottingham notifies Jun 11 Mandiant GTIGreport Jun 12 CISA KEVadded Jun 15 FCEB remediationdeadline Jun 22 Coverage /victim outreach Attack / Breach Response / Defence Ongoing

Sectors affected

Notified Orgs by Sector — Mandiant, 100+ organisations 100+orgsHigher Education68%of notified organisationsOther Sectors32%Finance / Govt / Enterprise

Confirmed impact scale

ShinyHunters PeopleSoft — Victim ImpactRed = confirmed breach | Orange = attacker-claimed Kodak2.2M claimed — org: "limited"2,200,000⚠ attacker-claimedWynn Resortsattacker-claimed800,000⚠ attacker-claimedU. of Nottinghamconfirmed • published454,600✓ HIBP-indexed • 15 data classesCouncil of Europeconfirmed • 297 GB published10,000+✓ 10k+ staff+contractors • 297 GBConfirmed breachAttacker-claimed

What you should do

BUSINESS / MANAGEMENT ACTIONS
1
Identify any Oracle PeopleSoft in your environment
Confirm the Oracle emergency fix (10 June 2026) has been applied. If uncertain, treat as unpatched.
2
Assume-breach for any pre-patch internet-exposed instance
Engage your security / IR team. Patching alone is not enough — the system may have already been accessed during the zero-day window (27 May – 10 Jun).
3
Question key vendors
Do they use PeopleSoft? Were they affected? Have they patched? This is standard supply-chain due diligence.
4
Ready your notification & communication plans
If personal data may be involved, regulatory-notification obligations (GDPR, state laws, SEC) may apply. Begin assessment now.
!
Warn staff about targeted phishing
Stolen personal data (incl. passport numbers, home addresses) enables convincing spear-phishing. Alert staff not to trust unexpected emails — even those that contain accurate personal details.

Current status

Patched by Oracle (10 June 2026) — apply urgently if not already done.

⚠️ Stolen data already published — data that was exfiltrated cannot be recovered.

🔴 Campaign ongoing — public exploit code now exists, so broader opportunistic attacks are likely beyond the original actor.

Your security team should act on the Technical Annex below. All IOCs, detection rules and remediation guidance are in Part 2.


Technical Annex (for security / SOC teams)

Vulnerability — CVE-2026-35273

AttributeValue
Type Unauthenticated SSRF → RCE (CWE-918; CISA KEV: "Missing Authentication for Critical Function")
CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Component Updates Environment Management / Environment Management Hub (PSEMHUB)
Affected PeopleSoft Enterprise PeopleTools 8.61, 8.62 (older unsupported versions likely also affected)
Patched Oracle out-of-band advisory + patch, 10 June 2026
CISA KEV Added 12 June 2026 — BOD 26-04 federal deadline 15 June

How it works (brief)

An unauthenticated POST to the public integration gateway (/PSIGW/HttpListeningConnector) is abused via server-side request forgery to reach an internal management endpoint (/PSEMHUB/hub), where a planted Java XMLDecoder payload executes as a high-privilege account (SYSTEM / psadm2) on the next service restart — no authentication required.

Attack chain

Attack Chain — CVE-2026-35273 (MITRE ATT&CK)01T1190Initial AccessPOST /PSIGW/HttpListeningConnectorSSRF → CWE-918 02Pivot→ internal /PSEMHUB/hub 03T1059ExecutionXMLDecoder deserializationRCE as SYSTEM / psadm2 04T1505Persistenceenvmetadata/*.xml+ .jsp webshell (WebLogic) 05T1219C2 / ToolingMeshCentral as "Azure"azurenetfiles[.]net:443 06T1082Discoverypsappsrv.cfg · WebLogic config.xml 07T1021Lateral Movementfanout.sh SSH spray+ SMB/445 NetNTLM capture 08T1560Collection / Exfilzstd-compressed archive 09T1657Impact / ExtortionREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTDLS publish (Jun 9)

Indicators of Compromise

File hashes (SHA-256)

FileSHA-256Notes
meshagent64-azure-ops.exe f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc MeshCentral C2 agent — Windows x64
meshagent32-azure-ops.exe c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f MeshCentral C2 agent — Windows x86
meshagent64-v2.exe d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f MeshCentral C2 agent — Windows x64 v2
meshagent (Linux) 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309 MeshCentral C2 agent — Linux
.bash_history 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 Attacker command history artifact

Network IOCs

IndicatorValue
C2 domain azurenetfiles[.]net — mimics Azure NetApp Files; TLS cert issued 2026-05-27
C2 connection string wss://azurenetfiles[.]net:443/agent.ashx
C2 / staging IPs 142.11.200.186–190 (Hostwinds, Dallas TX)
DLS clearnet mirror 176.120.22[.]24
Lateral movement Anomalous outbound SMB TCP 445 to external hosts (NetNTLM capture)

Host artifacts

ArtifactLocation / Notes
Extortion marker README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT — deployed to webserv/CSPRD, appserv/prcs
Persistence (XMLDecoder) <docroot>/envmetadata/data/environment/*.xml — recently created/modified XML files
Webshell Unexpected .jsp files in WebLogic application directories / under PSEMHUB.war/
Lateral movement script [victim]_fanout.sh in /tmp — SSH password spray against internal hosts
Recon targets psappsrv.cfg, WebLogic config.xml

Detection & hunting

Hunt Queries — PIA WebLogic Access Logs

Alert on POST /PSEMHUB/hub and POST /PSIGW/HttpListeningConnector from external IPs. Look for SSRF/loopback values (127.0.0.1, localhost, ::1) in request parameters.

Monitor outbound SMB (TCP 445) from PeopleSoft servers to untrusted external destinations. Vendor IPS/IDS signatures exist for this CVE and are available via standard threat-intelligence feeds.

Remediation checklist

REMEDIATION — PRIORITY ORDER
1
Apply Oracle's 10 June patch on an emergency basis
Do not wait for the regular patch cycle. This is an unauth RCE — treat as a fire drill.
2
Threat-hunt any pre-patch internet-exposed instance
Don't just patch — assume compromise for any system reachable during the zero-day window. Hunt the IOCs above before declaring clean.
3
Block the exploit endpoints at the perimeter
Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector. Disable the EMHub service (multi-server) or remove the PSEMHUB application (single-server) where feasible.
4
Rotate credentials reachable from affected hosts
Rotate DB credentials, service accounts, and integrations. Revoke active sessions. Check for stolen credentials re-used elsewhere.
5
Trigger regulatory-notification assessment
If personal data was or may have been involved, legal counsel and DPO should assess breach-notification obligations (GDPR, state laws, SEC Form 8-K).

Official statements

PartyStatement
Oracle "Remotely exploitable without authentication… may result in remote code execution… strongly recommends immediate action." (Security Alert, 10 Jun 2026)
CISA Added to KEV 12 Jun under BOD 26-04 — "Missing Authentication for Critical Function." FCEB deadline 15 Jun.
University of Nottingham Emailed affected students/alumni 10 Jun confirming Campus Solutions platform was "unlawfully accessed."
Kodak "Unauthorized third party temporarily accessed a limited amount of company data… no threat to systems or operations."
Council of Europe Acknowledged it is investigating the ShinyHunters claims.

References (authoritative)