CVE-2026-35273: ShinyHunters Spent 14 Days Inside University Networks Using an Oracle PeopleSoft Zero-Day — Before Oracle Said a Word

Sources: Mandiant / Google Cloud Blog (primary) · Google Threat Intelligence Group · The Hacker News · CybersecurityNews · Security Affairs · CSO Online · GBHackers · Daily Security Review · Undercode Testing · Bleeping Computer | CVE: CVE-2026-35273 | CVSS: 9.8 Critical | CWE: Insufficient Input Validation | Affected versions: PeopleSoft Enterprise PeopleTools 8.61 and 8.62 | Threat actor: UNC6240 / ShinyHunters | Zero-day window: May 27 – June 9, 2026 (14 days) | Organizations notified by GTIG: 100+ | Confirmed compromised: ~300 PeopleSoft installations

ShinyHunters spent 14 days inside university networks before Oracle knew a word

On May 27, 2026, ShinyHunters began exploiting a vulnerability that did not yet have a CVE number, a vendor advisory, a patch, or a name. For fourteen consecutive days, the group moved through Oracle PeopleSoft infrastructure at scale — compromising approximately 300 installations across more than 100 organizations, exfiltrating data, and staging it for extortion — while Oracle had no public advisory and affected organizations had no indication anything was wrong. Oracle published its emergency advisory on June 10, 2026. By then, the campaign was already largely complete. ShinyHunters published stolen data archives on their dark web leak site on June 9 — one day before Oracle told anyone the vulnerability existed.

This is the vulnerability disclosure failure mode that security professionals have the fewest defenses against: a zero-day exploited at scale for two weeks before the vendor acknowledges it. No patch to apply. No advisory to act on. No CVE to query against. The only organizations that could have detected this campaign were those monitoring behavioral anomalies in their PeopleSoft environments — unusual HTTP requests to the Environment Management Hub, unexpected outbound SMB traffic, data being compressed and exfiltrated via SSH. For most universities, which run PeopleSoft with lean IT security staff and aging infrastructure, none of those detections were in place.

The vulnerability — now formally designated CVE-2026-35273 — is a CVSS 9.8 Critical unauthenticated remote code execution flaw in the Oracle PeopleSoft Environment Management Hub (PSEMHUB). No credentials. No user interaction. Just a specially crafted HTTP request to a network-accessible PeopleSoft endpoint, and the attacker has arbitrary code execution with full system privileges. Mandiant CTO Charles Carmakal confirmed the gadget chain attack path. The exploitation campaign is attributed to UNC6240 — the Google Threat Intelligence Group designation for ShinyHunters, the group that previously breached Ticketmaster, Santander Bank, and dozens of Snowflake customer environments.

What PeopleSoft is — and why it sits at the center of every university’s most sensitive data

Oracle PeopleSoft is an enterprise resource planning platform deployed across universities, hospitals, and government agencies worldwide. At universities specifically — which represent 68% of this campaign’s identified victims — PeopleSoft consolidates an extraordinary concentration of sensitive data into a single integrated system:

• Student information systems — enrollment records, academic transcripts, grades, disciplinary records, immigration status for international students
• Financial aid records — FAFSA data, scholarship awards, loan information, family financial disclosures
• Human resources and payroll — employee records, salary data, Social Security numbers, tax information for all faculty and staff
• Research administration — grant funding data, research project records, intellectual property documentation
• Health services records — at institutions with integrated student health systems, protected health information

A single successful PeopleSoft compromise at a major university does not produce a breach of one database. It produces a breach of every sensitive record category the institution manages. The University of Nottingham breach — approximately 500,000 student records — is one named victim in a campaign that compromised 300 installations across more than 100 organizations. The full scope of what was taken will not be known until each affected institution completes its own forensic review, a process that typically takes weeks to months.

The technical mechanism: a gadget chain through the Environment Management Hub

The vulnerability resides in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools — specifically the Environment Management Hub (PSEMHUB), a service that manages software updates and environment configurations across PeopleSoft deployments. The root cause is insufficient input validation in the PSEMHUB endpoint’s handling of incoming HTTP requests.

A remote, unauthenticated attacker sends a specially crafted HTTP request to the PSEMHUB endpoint. Because the endpoint fails to properly validate the input, the attacker’s payload reaches code execution — arbitrary code running with full system privileges on the PeopleSoft application server. No credentials. No session token. No prior access to anything. The endpoint is reachable from the network and the vulnerability does the rest.

ShinyHunters did not exploit CVE-2026-35273 alone. Mandiant’s analysis documents a gadget chain — a technique that links multiple vulnerabilities together, combining the newly discovered CVE-2026-35273 zero-day with older known flaws in PeopleSoft to produce exploitation that neither component enables independently. This chaining approach is significant: it means that organizations that patched the older component vulnerabilities but had not taken the new zero-day into account were still fully vulnerable. The chain produces unauthenticated access at scale across PeopleSoft deployments, which is how 300 installations were compromised across 14 days.

After achieving initial code execution, the attacker established persistence and maintained remote control over compromised systems. Data was compressed using the zstd compression utility before the attackers established an outbound SSH connection to 176.120.22.24 — the IP address hosting the public mirror of ShinyHunters’ Data Leak Site. The compressed archives were then published on the DLS on June 9, 2026 — the day before Oracle acknowledged the vulnerability existed.

ShinyHunters: from SaaS credential theft to server-side ERP zero-days

ShinyHunters (UNC6240) is one of the most consequential data extortion groups operating today. Previous campaigns attributed to the group include the Ticketmaster breach (560 million records), the Santander Bank breach, and the 2025 Snowflake customer attack wave that affected dozens of enterprises by harvesting credentials from Snowflake environments lacking MFA. In each prior case, the group’s entry vector was primarily credential-based: stolen login credentials, session tokens, or weak access controls on SaaS platforms.

CVE-2026-35273 represents a meaningful escalation. A server-side zero-day in on-premises ERP software is a fundamentally different capability than credential stuffing or SaaS token theft. It requires vulnerability research, exploit development, and gadget chain construction — skills and resources that indicate either internal capability development or access to a high-quality zero-day broker. Security Affairs raised the open question directly: “The open question is whether this was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation.”

The education sector focus is consistent with ShinyHunters’ established targeting profile — data-rich organizations with limited security resources, high-value records, and institutional pressure to avoid reputational damage from disclosed breaches. Universities run PeopleSoft on budgets and security staffing levels that are a fraction of what enterprises allocate to equivalent infrastructure. The combination of high-value data and limited defenses makes higher education a reliable ShinyHunters target, and PeopleSoft’s central role in university operations makes a PeopleSoft breach maximally impactful. This is the third major education data breach DataWater has tracked in 2026.

The 14-day zero-day window: what it means and how Mandiant found it

The 14-day gap between ShinyHunters’ first exploitation (May 27) and Oracle’s advisory (June 10) is the most operationally significant detail in this disclosure. During those 14 days, every organization running a network-accessible PeopleSoft PSEMHUB endpoint was in a condition that no available defensive measure could fully address: a critical vulnerability being actively exploited with no patch, no advisory, and no CVE. The only available detection was behavioral — looking for anomalous HTTP traffic to PSEMHUB, unexpected outbound SMB, or data exfiltration patterns.

Mandiant discovered the campaign through what Security Affairs described as a fortunate operational error by ShinyHunters: the attackers left their staging infrastructure exposed. This gave Mandiant’s investigators a detailed look at the operation — the attack chain, the targeted endpoints, the exfiltration infrastructure — that they used both to reconstruct the full technical picture and to notify over 100 organizations whose IP addresses correlated with potentially vulnerable endpoints. Google’s Threat Intelligence Group sent those notifications before the public advisory, giving affected organizations a window — however brief — to take action before ShinyHunters published the stolen data.

The disclosure timeline here directly parallels the pattern DataWater documented with CVE-2026-34926 (Trend Micro Apex One) — discovered by TrendAI’s own IR team during active exploitation — and with CVE-2026-20245 (Cisco SD-WAN) — discovered by Mandiant during active exploitation. The pattern is consistent across 2026: the most dangerous vulnerabilities are found by incident response teams investigating real attacks, not by researchers probing code in labs. They are exploited before anyone knows they exist.

Detection: indicators of compromise and what to look for now

Organizations running PeopleSoft should execute the following detection and investigation steps immediately — regardless of whether they have applied mitigations:

Network-level detection

# Suricata rule to detect PSEMHUB exploitation attempts (from Undercode Testing)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CVE-2026-35273 PSEMHUB RCE attempt"; flow:to_server; content:"/PSEMHUB/update"; http_uri; sid:1000002; rev:1;)

# Check for outbound SMB traffic from PeopleSoft hosts to external IPs
# Port 445 outbound from PeopleSoft application servers = NetNTLM hash capture
# If you see this: treat as confirmed exploitation

# Check for outbound SSH to known ShinyHunters DLS infrastructure
# Confirmed exfiltration IP: 176.120.22.24
# Block at perimeter and alert on any historical connections

Host-level detection

# Check for ransom note creation across PeopleSoft servers
find / -name "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" 2>/dev/null

# Check for zstd compressed archives (exfiltration staging)
find / -name "*.zst" -newer /tmp -ls 2>/dev/null

# Check for unexpected SSH connections in auth logs
grep "Accepted" /var/log/auth.log | grep -v "your.known.admin.ips"

# Review PeopleSoft application server logs for /PSEMHUB/ requests
grep -i "PSEMHUB" /path/to/psft/logs/access.log | grep -v "your.known.admin.ips"

# Check for unusual child processes spawned by PeopleSoft services
ps auxf | grep -i "psft\|peoplesoft" | head -50

Data integrity checks

• Review PeopleSoft audit logs for any data exports, report runs, or bulk data access events between May 27 and June 10, 2026 that were not initiated by authorized users
• Check database query logs for unexpected large-volume SELECT queries against student information, HR, or financial aid tables during the zero-day window
• Audit administrative account activity — review every action taken by admin accounts between May 27 and June 10, particularly any performed outside business hours or from unexpected IP addresses

Remediation steps

1. Apply Oracle’s emergency advisory for CVE-2026-35273 immediately. Access via My Oracle Support. The advisory provides mitigations for PeopleTools versions 8.61 and 8.62 on actively supported versions. If you are running an earlier unsupported version — Oracle explicitly states these are also likely vulnerable — you must urgently upgrade to a supported version before mitigations can be applied.
2. Block external network access to PSEMHUB endpoints immediately if patching cannot be completed right away. At your perimeter firewall and/or web application firewall, block access to all /PSEMHUB/ URL paths from untrusted networks. The Environment Management Hub does not need to be internet-accessible for normal PeopleSoft operations — restrict it to trusted internal management networks only.
3. Block outbound SMB (port 445) from PeopleSoft application servers to external IPs. The exploit chain uses outbound SMB to capture NetNTLM machine account hashes. Blocking outbound port 445 to external destinations eliminates this exploitation step and may prevent successful exploitation even in unpatched environments.
4. Block outbound connections to 176.120.22.24 — the confirmed ShinyHunters exfiltration IP. Check historical logs for any connections to this IP from your PeopleSoft infrastructure. Any connection from a PeopleSoft server to this IP during the May 27 – June 10 window is a confirmed exfiltration indicator.
5. Conduct a full compromise assessment for any PeopleSoft environment with internet-accessible PSEMHUB endpoints during the May 27 – June 10 zero-day window. Google’s GTIG notified organizations whose IPs correlated with vulnerable endpoints — if you did not receive a notification, that does not mean you were not compromised. Run the detection commands above and engage Mandiant or your preferred IR firm if any indicators are found.
6. Review all data access and export events between May 27 and June 10 across all PeopleSoft modules — student information, HR, financial aid, payroll, research administration. Any unexplained bulk access during this window should be treated as confirmed exfiltration until proven otherwise.
7. Prepare breach notification documentation. If your PeopleSoft instance was internet-accessible during the zero-day window and you identify indicators of compromise, you are likely subject to breach notification obligations under FERPA (student records), HIPAA (health records), state data breach notification laws, and GDPR (for institutions with EU student or staff data). Engage legal counsel immediately.
8. University CISOs: verify your GTIG notification status. Google’s Threat Intelligence Group notified over 100 organizations directly. If you run PeopleSoft and did not receive a GTIG notification, contact your Google Cloud account team or Mandiant directly to verify whether your environment was in the notified set.

Why the education sector keeps getting hit — and what it would take to change that

The 68% higher education concentration in this campaign is not a coincidence. It reflects a structural reality that threat actors have understood for years: universities are among the most data-rich organizations in the world — combining student records, financial data, research IP, and health records in a single integrated ERP system — while running security programs that are chronically underfunded relative to the data they protect.

The Verizon DBIR 2026 documented that exploitation of internet-facing applications is now the #1 breach initial access vector. PeopleSoft’s Environment Management Hub — an administrative component that, in many university deployments, is unnecessarily exposed to the internet for remote administration convenience — is exactly the type of internet-facing application that the DBIR describes. The fix is not complicated: PSEMHUB does not need to be internet-accessible. Restricting it to internal management networks would have closed this attack surface entirely. The challenge is institutional: the university IT teams responsible for making that configuration change are often the same teams managing hundreds of other systems with limited security staff, limited budgets, and limited executive-level support for security hardening that disrupts operational convenience.

This is the third major education data breach DataWater has tracked in 2026, following the Canvas LMS credential campaign in March and the Ellucian Banner SQL injection series in April. ShinyHunters’ escalation from credential theft to server-side ERP zero-day exploitation signals that education is not just a target of opportunity for this group — it is a deliberate strategic focus. The concentration of high-value data, limited defenses, and institutional pressure to avoid reputational damage from disclosed breaches makes universities an ideal environment for the compress-exfiltrate-extort playbook ShinyHunters has refined across dozens of prior campaigns.

Sources and further reading

• Google Cloud / Mandiant — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit (Primary Research)
• The Hacker News — ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
• CybersecurityNews — Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
• Security Affairs — Oracle PeopleSoft RCE Flaw Used as Zero-Day in Ongoing ShinyHunters Campaign
• CSO Online — Oracle PeopleSoft Zero-Day Fuels ShinyHunters Extortion Spree
• GBHackers — Oracle PeopleSoft Zero-Day RCE Vulnerability Exploited by ShinyHunters
• Daily Security Review — Oracle PeopleSoft CVE-2026-35273: ShinyHunters Breaches 100+ Organizations

DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #27 — June 12, 2026. Previous: $1,000 AI Agent Finds 21 FFmpeg Zero-Days (June 10) · Microsoft June 2026 Patch Tuesday (June 10) · Claude Code Prompt Injection (June 8) · FIFA World Cup 2026 Fraud Wave (June 8). Browse the full threat brief archive →