CRITICAL: Oracle PeopleSoft Zero-Day CVE-2026-35273 Powers ShinyHunters Spree Across 100+ Universities

If you ever wondered what happens when a critical Oracle bug sits unpatched for two weeks while a financially motivated extortion crew has the exploit, the answer is currently playing out across more than a hundred universities. Oracle pushed an out-of-band advisory on June 10 for CVE-2026-35273, a 9.8 CVSS remote code execution flaw in PeopleSoft PeopleTools that ShinyHunters has been quietly weaponizing since at least May 27. Drop everything and patch this now, except there is no actual patch yet for many customers. You get to disable services and slam network controls into place while Oracle figures out distribution.

The vulnerability lives inside the Environment Management Hub, the often-forgotten PSEMHUB component bolted onto PeopleTools to coordinate environment metadata across multi-server PeopleSoft deployments. Versions 8.61 and 8.62 are confirmed vulnerable, and Oracle is careful to say earlier unsupported releases are likely vulnerable too, which is corporate-speak for if you are running an old version you should assume you are owned. The flaw is reachable over HTTP without authentication, requires no user interaction, and lets an attacker drop code straight onto the PeopleSoft web server. Researchers from TrendAI get the credit for discovery, though by the time Oracle wrote the advisory, Mandiant was already cleaning up after live intrusions.

Mandiant tracks the operator as UNC6240, better known to the rest of us as ShinyHunters. The group has spent years stitching together vishing, stolen OAuth tokens, and weak SaaS access controls into a profitable data extortion practice, and this campaign represents an evolution into actual server-side exploitation rather than just credential theft. Between May 27 and June 9, ShinyHunters hit over three hundred vulnerable PeopleSoft instances spread across more than one hundred organizations that Mandiant proactively notified. Sixty-eight percent of those targets were higher education institutions, and most of them are in the United States. Some shops caught the activity in flight and shut it down. Others ended up on the ShinyHunters data leak site.

The first publicly named victim is the University of Nottingham, which had roughly 455,000 unique email addresses pulled along with names, postal addresses, phone numbers, passport numbers, and demographic details including ethnicity and disability information. That is the kind of data that fuels identity fraud for years and creates compliance nightmares under both UK data protection law and any US state breach notification statute that gets pulled in for affected American students. Other victims have not been publicly confirmed, but if you run PeopleSoft and you have not audited your logs since May 27, you are flying blind.

The attack chain reads like a textbook on how to monetize an unauthenticated RCE without making too much noise. Initial access comes through HTTP POST requests targeting the PSEMHUB endpoint, specifically /PSEMHUB/hub, and the related /PSIGW/HttpListeningConnector path on the integration gateway. Once code execution is achieved, the attackers stage MeshCentral agents under names like meshagent64-azure-ops.exe and meshagent32-azure-ops.exe, configured to call home to wss://azurenetfiles.net:443/agent.ashx. The domain is a deliberate masquerade of Microsoft Azure NetApp Files, designed to slip past analysts doing quick visual triage of outbound traffic. Staging infrastructure runs on a sequential block of IPs from 142.11.200.186 through 142.11.200.190, hosting Python SimpleHTTP servers on port 8888 for payload delivery.

After establishing remote access via MeshCentral, the operators move to internal reconnaissance using the meshctrl.js utility to enumerate hostnames, parse /etc/hosts for adjacent PeopleSoft nodes, dump psappsrv.cfg configuration values, and map NFS mounts. Lateral movement runs through a custom shell script named with the victim abbreviation followed by _fanout.sh. The script parses /etc/hosts for internal PeopleSoft node patterns, then uses sshpass to spray a hardcoded list of usernames and passwords against discovered hosts with StrictHostKeyChecking disabled. When a credential combination works, the script writes a defacement file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into three predictable PeopleSoft directories on each compromised node, namely the CSPRD and CSPRD02 web server paths and the appserv/prcs process scheduler path. Subtle it is not, but it does not need to be once the data is already moving.

Exfiltration uses zstd compression with multi-threaded mode and pv for progress monitoring, with the resulting tarballs streamed over SSH to 176.120.22.24, a public mirror of the ShinyHunters data leak site. The Nottingham data showed up on that site on June 9, which is also the day the active exploitation window ended and, conveniently, the day before Oracle finally went public. That timing is not coincidence. Mandiant notified victims and Oracle in parallel, the leak announcement forced public disclosure, and Oracle pushed the advisory out of its normal quarterly cycle.

Detection ideas should start with the obvious. Pull your WebLogic PIA access logs and search for HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector from any source IP that is not on your trusted internal list. Look for loopback or RFC1918 addresses appearing in request parameters or headers, which is a tell for the SSRF chain used to reach the vulnerable internal endpoints. On the file system, scan PSEMHUB.war for unauthorized JSP files that did not ship with the original product, and check envmetadata/transactions and envmetadata/data/environment for newly created directories named logs, persistantstorage, or scratchpad and any XML files modified after May 26. The XML files matter because XMLDecoder deserialization is the underlying RCE primitive, and a modified file plus a service restart equals fresh code execution. Network-side, hunt for outbound SMB on TCP 445 leaving PeopleSoft servers headed to external destinations, which would indicate NTLM hash capture attempts. Block azurenetfiles.net and the 142.11.200.186 to 142.11.200.190 range at egress immediately if you have not already.

Oracle's advisory points customers at a patch availability document that requires support login, and as of this writing the document does not confirm broad patch availability for all affected PeopleTools releases. That puts the burden on mitigation rather than remediation, at least for now. In multi-server PeopleSoft configurations, disable the Environment Management Hub service unless you have a documented operational need for it. In single-server configurations, remove the PSEMHUB application entirely. Whichever path you take, block external access to /PSEMHUB/ and /PSIGW/HttpListeningConnector at the network perimeter, because relying on web application firewall rules alone has historically been insufficient against creative URL encoding tricks. If you absolutely must keep EMHub running, treat any unexpected POST to those endpoints as a confirmed compromise until proven otherwise and start your incident response timer.

There is a broader lesson in this campaign that has nothing to do with PeopleSoft specifically. Universities are sitting on enormous quantities of regulated data, often running aging enterprise applications maintained by skeleton IT teams competing with research priorities and tuition pressure. ShinyHunters figured that out years ago and has been working the education sector methodically. The shift in this operation from social engineering against SaaS platforms to server-side exploitation against on-premises ERP shows they are willing to invest in technical capability when the payoff justifies it, and a 9.8 CVSS unauthenticated RCE in a product running student records databases is the kind of payoff that justifies almost anything.

For MSPs working with higher education clients or any organization running PeopleSoft for HR, finance, or campus solutions, this is the moment to lead with an emergency exposure assessment. Offer a same-week scope covering external attack surface enumeration for PSEMHUB endpoints, log review for indicators of compromise back to May 27, and a written mitigation runbook the client can hand to leadership. The follow-on conversation around continuous external attack surface monitoring, dark web monitoring for exposed credentials and stolen data, and managed detection and response covering the WebLogic and application server layer is a natural upsell, especially when you can point at the Nottingham incident as the cost of waiting. Education clients in particular respond well to fixed-fee incident readiness packages tied to a real named campaign rather than abstract risk discussions. ShinyHunters just did your prospecting work for you.