A criminal extortion group known as ShinyHunters exploited a previously-unknown flaw in Oracle PeopleSoft — enterprise software widely used for HR, finance, payroll and records systems — to break into 100+ organisations between late May and early June 2026, steal sensitive data, and publish it online under a "pay-or-leak" model. The flaw allowed full remote takeover of the server without any login. Oracle released an emergency fix on 10 June 2026, but data already stolen cannot be recovered, and the campaign is ongoing.
Bottom line: If your organisation — or any of your vendors/partners — ran internet-facing Oracle PeopleSoft that wasn't patched before 10 June, treat it as potentially compromised.
| Risk Area | Detail |
|---|---|
| Data exposure | Confirmed leaks include names, addresses, DOB, passport numbers, ethnicity, disability data, and financial/payroll records. |
| Regulatory | Breach-notification duties apply: UK/EU GDPR, US state laws, SEC Form 8-K materiality for listed firms. |
| Third-party / supply-chain | Data shared with an affected vendor may now be exposed — assess key supplier relationships. |
| Fraud & phishing | Stolen personal data (incl. passport numbers) enables convincing, targeted scams against staff and customers. |
| Organisation | Status | Volume |
|---|---|---|
| University of Nottingham | ✅ Confirmed + data published | ~454,600 people — incl. passport numbers, ethnicity, disability data |
| Council of Europe | ✅ Confirmed — investigating | 297 GB published, 10,000+ staff & contractors |
| Kodak | ✅ Confirmed (limited) | Company data — "no threat to operations" (org statement) |
| Wynn Resorts | ⚠️ Attacker-claimed | ~800,000 records |
Attackers claim ~300 systems across 100+ organisations; most are not yet named — expect further disclosures.
✅ Patched by Oracle (10 June 2026) — apply urgently if not already done.
⚠️ Stolen data already published — data that was exfiltrated cannot be recovered.
🔴 Campaign ongoing — public exploit code now exists, so broader opportunistic attacks are likely beyond the original actor.
Your security team should act on the Technical Annex below. All IOCs, detection rules and remediation guidance are in Part 2.
| Attribute | Value |
|---|---|
| Type | Unauthenticated SSRF → RCE (CWE-918; CISA KEV: "Missing Authentication for Critical Function") |
| CVSS | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Component | Updates Environment Management / Environment Management Hub (PSEMHUB) |
| Affected | PeopleSoft Enterprise PeopleTools 8.61, 8.62 (older unsupported versions likely also affected) |
| Patched | Oracle out-of-band advisory + patch, 10 June 2026 |
| CISA KEV | Added 12 June 2026 — BOD 26-04 federal deadline 15 June |
An unauthenticated POST to the public integration gateway (/PSIGW/HttpListeningConnector) is abused via server-side request forgery to reach an internal management endpoint (/PSEMHUB/hub), where a planted Java XMLDecoder payload executes as a high-privilege account (SYSTEM / psadm2) on the next service restart — no authentication required.
| File | SHA-256 | Notes |
|---|---|---|
meshagent64-azure-ops.exe |
f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc |
MeshCentral C2 agent — Windows x64 |
meshagent32-azure-ops.exe |
c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f |
MeshCentral C2 agent — Windows x86 |
meshagent64-v2.exe |
d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f |
MeshCentral C2 agent — Windows x64 v2 |
meshagent (Linux) |
68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309 |
MeshCentral C2 agent — Linux |
.bash_history |
2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 |
Attacker command history artifact |
| Indicator | Value |
|---|---|
| C2 domain | azurenetfiles[.]net — mimics Azure NetApp Files; TLS cert issued 2026-05-27 |
| C2 connection string | wss://azurenetfiles[.]net:443/agent.ashx |
| C2 / staging IPs | 142.11.200.186–190 (Hostwinds, Dallas TX) |
| DLS clearnet mirror | 176.120.22[.]24 |
| Lateral movement | Anomalous outbound SMB TCP 445 to external hosts (NetNTLM capture) |
| Artifact | Location / Notes |
|---|---|
| Extortion marker | README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT — deployed to webserv/CSPRD, appserv/prcs |
| Persistence (XMLDecoder) | <docroot>/envmetadata/data/environment/*.xml — recently created/modified XML files |
| Webshell | Unexpected .jsp files in WebLogic application directories / under PSEMHUB.war/ |
| Lateral movement script | [victim]_fanout.sh in /tmp — SSH password spray against internal hosts |
| Recon targets | psappsrv.cfg, WebLogic config.xml |
Alert on POST /PSEMHUB/hub and POST /PSIGW/HttpListeningConnector from external IPs. Look for SSRF/loopback values (127.0.0.1, localhost, ::1) in request parameters.
Monitor outbound SMB (TCP 445) from PeopleSoft servers to untrusted external destinations. Vendor IPS/IDS signatures exist for this CVE and are available via standard threat-intelligence feeds.
/PSEMHUB/* and /PSIGW/HttpListeningConnector. Disable the EMHub service (multi-server) or remove the PSEMHUB application (single-server) where feasible.| Party | Statement |
|---|---|
| Oracle | "Remotely exploitable without authentication… may result in remote code execution… strongly recommends immediate action." (Security Alert, 10 Jun 2026) |
| CISA | Added to KEV 12 Jun under BOD 26-04 — "Missing Authentication for Critical Function." FCEB deadline 15 Jun. |
| University of Nottingham | Emailed affected students/alumni 10 Jun confirming Campus Solutions platform was "unlawfully accessed." |
| Kodak | "Unauthorized third party temporarily accessed a limited amount of company data… no threat to systems or operations." |
| Council of Europe | Acknowledged it is investigating the ShinyHunters claims. |