CRITICAL: ShinyHunters Burn Oracle PeopleSoft Zero-Day to Loot Universities (CVE-2026-35273)

Pour one out for whichever Oracle product manager thought the PeopleSoft Environment Management Hub was a low-risk component. It was, until ShinyHunters spent two weeks ransacking universities through it while no patch existed.

ShinyHunters, the extortion crew that has made a hobby of turning enterprise data into ransom notes, exploited an unauthenticated remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools between May 27 and June 9, 2026. Oracle did not get an advisory out the door until June 10, which means the bug was a working, weaponized zero-day for roughly two weeks while Google's Mandiant team watched at least 100 organizations get pried open. The vulnerability now tracked as CVE-2026-35273 carries a CVSS score of 9.8 and lets any attacker with HTTP reachability to the PSEMHUB component run code as the application user. No login. No phishing. No social engineering. Just a POST request to a URL that should never have been exposed to the internet in the first place.

About two-thirds of the confirmed victims are universities, which makes a brutal kind of sense. Higher education runs PeopleSoft for student information, payroll, financial aid, admissions, and HR. It is the database of record for tens of thousands of human beings per campus, complete with addresses, passport numbers, financial information, and the kind of identity data that sits at the bottom of a darknet sale for years. Mandiant tracks the campaign as UNC6240 and confirmed the cluster overlaps with ShinyHunters' established pattern of breach, exfiltrate, and extort. The group has been on a tear for over a year, and their recent run through Snowflake customers in 2024 should have been the wake-up call. Apparently the snooze button still works.

The technical picture is uglier the closer you look. The flaw lives in the Environment Management Hub, an internal-facing diagnostic and update component meant to manage configuration drift across PeopleSoft environments. Endpoints under /PSEMHUB/hub and the long-suffering /PSIGW/HttpListeningConnector handle requests without requiring authentication, and a malformed payload to those endpoints lets the attacker drop arbitrary files and trigger code execution on the underlying WebLogic server. Affected versions include PeopleTools 8.61 and 8.62, and earlier unsupported releases are almost certainly vulnerable as well, because the underlying code path has not changed in years. If you are running anything older than 8.61, you are not patching, you are migrating.

What ShinyHunters did with the foothold was not subtle, but it was effective. Once the group landed on a vulnerable server, they deployed custom MeshCentral remote management agents to maintain persistence under the guise of legitimate admin tooling. From there they ran lateral movement scripts with hardcoded credentials harvested from PeopleSoft application server configuration files, where database passwords and integration broker tokens have a depressing habit of living in plaintext. A shell script researchers recovered, helpfully named uon_fanout.sh, spread defacement markers across infrastructure while siphoning credentials out the back door. Then the crew staged exfiltration with zstd compression, which compresses faster and tighter than gzip and leaves a smaller window for detection in egress monitoring tools that are still tuned for the gzip and zip files of yesteryear.

The University of Nottingham is the public face of the carnage so far. ShinyHunters dumped roughly 40 gigabytes of data containing 455,000 unique email addresses tied to students and staff, plus the full bouquet of personally identifiable information that universities are legally required to collect and apparently not legally required to protect. Names, addresses, phone numbers, passport numbers, ethnicity records, and disability information. The kind of leak that ends careers in the IT department, generates years of regulatory pain under UK GDPR, and gives every student a permanent presence on credential stuffing wordlists. Nottingham is just the first victim ShinyHunters chose to publicly burn. The other ninety-plus organizations Mandiant has notified are presumably in some stage of denial, panic, or active negotiation.

Oracle's June 10 advisory ships under the standard Security Alert program, which is Oracle-speak for "we broke the rules of our quarterly patch cycle because the building is on fire." Patches are linked from the advisory but live behind the Oracle Support portal, accessible only to customers with active accounts, which has caused predictable confusion for the smaller universities and state agencies that may not have a current support contract for their PeopleTools deployment. Translation, if you cannot pull the patch right now, you need to mitigate at the perimeter immediately, because the proof-of-concept code is in the wild and unaffiliated opportunists are now joining the party.

The fastest mitigation is the most aggressive one. Disable the Environment Management Hub service entirely. In multi-server PeopleSoft deployments this means stopping the EMHub service in PSADMIN. In single-server setups, you can remove the PSEMHUB application from the WebLogic configuration. If your operational situation will not let you turn the component off, restrict access to the /PSEMHUB/ and /PSIGW/HttpListeningConnector paths at the firewall or reverse proxy level so that only trusted internal hosts can reach those endpoints. There is no scenario in 2026 where PSEMHUB needs to be accessible from the open internet, and if your architecture says otherwise, your architecture is the vulnerability.

Detection is the next priority, because if you were running an exposed PSEMHUB on May 27, you should assume you are already in scope. Hunt for external POST requests to PSEMHUB endpoints in WebLogic access logs, particularly anything from non-corporate source addresses or commercial VPN ranges. Look for unexpected .jsp files anywhere under the PSEMHUB directory tree, since the attackers used file drops to land their webshells. Examine recently modified .xml files under envmetadata paths, where the configuration management framework lives. Watch outbound traffic on TCP 445 for SMB connections that should not exist, and check for MeshCentral installations or processes you did not deploy yourself. The Mandiant indicators include domains, file hashes, and command and control infrastructure that you should pull into your detection stack as soon as the threat intel feeds publish them.

There is a broader lesson here that I keep watching organizations refuse to learn. ERP systems are not boring legacy boxes that you patch on a sleepy schedule. They are the data crown jewels for any institution that runs one, and attackers have noticed. PeopleSoft, SAP, Workday, Oracle EBS, all of them carry identity data and financial pipes that make them worth zero-day budgets. The "we don't expose it to the internet" defense usually turns out to mean "we exposed it to the internet years ago and forgot." Run an external scan against your own perimeter today and find out what your PeopleSoft footprint actually looks like, because ShinyHunters did, and they liked what they saw.

For the MSPs and security teams reading this, the sales conversation writes itself. Any client running PeopleSoft, especially in higher education, healthcare, or state and local government, needs an emergency exposure assessment this week and a managed detection and response uplift behind it. External attack surface management is the wedge product, internal segmentation review is the follow-on, and dark web monitoring for stolen credentials is the recurring revenue. If you have university or community college prospects you have been nurturing for months, this is the week to call them, because their CISO is currently explaining what an extortion group is to a board of trustees who would rather be approving a new athletics budget.