ShinyHunters spent the back half of 2025 phishing Salesforce admins and shaking down EdTech vendors. This week, the group graduated to something far more dangerous: a pre-auth remote code execution zero-day in Oracle PeopleSoft, exploited in the wild for a full two weeks before Oracle published an advisory. Universities took 68% of the blast radius, and the playbook leaked because the attackers forgot to lock their own staging servers.
The Two-Week Window That Oracle Never Closed in Time
Google’s Mandiant attributes the campaign to the cluster it tracks as UNC6240 (ShinyHunters) and dates active exploitation from May 27 to June 9, 2026. Oracle did not release its advisory for CVE-2026-35273 — a 9.8-severity pre-auth RCE in PeopleTools’ Updates Environment Management component — until June 10. For the entire window, every internet-exposed Environment Management Hub was effectively a one-shot kill for anyone who knew the bug.
Why this matters: the flaw requires no login and no user interaction, just network access over HTTP. Oracle lists PeopleTools 8.61 and 8.62 as affected and warns that earlier, unsupported versions are probably vulnerable too. Credit went to researchers from TrendAI Zero Day Initiative and TrendAI Research, but by the time the patch document landed behind My Oracle Support, attackers had already harvested data from dozens of victims.
If your institution runs PeopleSoft Campus Solutions for student records and PSEMHUB was reachable from the public internet, the attacker needed neither a phishing pretext nor a stolen credential. A single HTTP request to /PSEMHUB/hub was enough to take the server. Two-week zero-day windows on a CVSS 9.8 ERP bug should end the “we patch on the next maintenance window” reflex for any externally reachable PeopleSoft component.
How an OPSEC Slip Handed Defenders the Entire Playbook
Researcher @nahamike01 publicly flagged open directories on five sequential IP addresses running Python’s SimpleHTTPServer on port 8888. Mandiant triaged those directories and recovered a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, a lateral-movement script named [victim]_fanout.sh, and a command-and-control domain at azurenetfiles.net — picked to mimic Azure NetApp Files.
Few active extortion campaigns have handed defenders this complete an unintentional disclosure. Defenders now know the staging hostname, the MeshCentral cover story, the SSH spray pattern that reads /etc/hosts for internal targets, the zstd compression step before exfil, and the leak-site marker file dropped into PeopleSoft directories with the unmissable name README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
A SOC analyst writing detections today can hunt for outbound SSH to known ShinyHunters mirrors, MeshCentral binaries masquerading as Azure tools in unusual directories, or that marker file landing anywhere near PeopleSoft paths. The catch is shelf life: ShinyHunters’ operational tradecraft is sloppy compared to its strategic targeting, which means the high-fidelity IOCs will age out fast as the group rebuilds infrastructure.
Why 68% of the Victims Were Universities
Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. Sixty-eight percent were in higher education, most of them in the United States. The University of Nottingham confirmed a breach, with Have I Been Pwned counting roughly 455,000 unique email addresses across current students and alumni — including names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities.
PeopleSoft is overrepresented in higher ed because universities standardized on it years ago and never left. The same campuses then exposed PSEMHUB because internal IT teams use it for environment management across multiple regional sites. ShinyHunters did not have to choose universities; the target distribution chose itself.
A regional state university running PeopleTools 8.61 with PSEMHUB reachable for legitimate cross-campus admin work has the exact profile that lit up Mandiant’s notification list. The same profile fits any multi-tenant SaaS or B2B platform where a single management endpoint sits outside the authentication boundary — operational convenience is the breach vector. Expect at least a dozen more confirmed university victims before summer ends; ShinyHunters told Mandiant that outreach is only just starting.
From Vishing Calls to Server-Side Zero-Days
ShinyHunters spent the past year leaning on vishing campaigns against Salesforce customers (tracked as UNC6040) and stolen-token attacks against EdTech platforms like Canvas. CVE-2026-35273 is the group’s first publicly attributed server-side zero-day in on-premises ERP — a clear escalation in capability.
The economics changed. Social engineering scales linearly with caller fluency and target gullibility. A pre-auth ERP zero-day scales with Shodan results. The group kept the same victim profile — data-rich verticals like education and, by extension, healthcare provider networks — but switched the weapon to something that does not require talking to a help desk.
A hospital system running PeopleSoft HCM for staff records should treat this campaign as a preview, not an outlier. The same logic that pulled ShinyHunters to universities applies to any provider organization with similarly sensitive records. The prediction: the next ShinyHunters zero-day will land in Workday, SAP SuccessFactors, or another HR/student-information ERP within twelve months. On-prem ERP is now in the group’s toolkit.
FAQ
Q: What is CVE-2026-35273? A: It is a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools’ Updates Environment Management component (PSEMHUB), rated 9.8 of 10. It requires no authentication and no user interaction — just network access over HTTP — and affects PeopleTools 8.61 and 8.62, with earlier unsupported versions probably vulnerable per Oracle’s advisory.
Q: How can a team tell if a PeopleSoft environment was compromised? A: Mandiant recommends reviewing WebLogic access logs for external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector, looking for unexpected .jsp files under PSEMHUB.war, checking for recently modified .xml files under envmetadata/data/environment (which can be abused for XMLDecoder persistence on restart), and watching for outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations.
Q: What is the mitigation if PSEMHUB cannot be disabled outright? A: Oracle’s fallback guidance is to block external access to /PSEMHUB/* — especially /PSEMHUB/hub — and /PSIGW/HttpListeningConnector at the network perimeter. Mandiant explicitly warns that WAF body-inspection rules alone can be bypassed, so perimeter path restrictions are the real mitigation until the patch is confirmed available in My Oracle Support.
Key Takeaways
- Any organization running PeopleTools 8.61 or 8.62 with PSEMHUB externally reachable should treat itself as compromised until log review proves otherwise — the May 27 to June 9 window predates any chance of clean patching
- Detection engineers should prioritize behavioral signatures (SSH spraying from /etc/hosts, zstd-compressed exfil over SSH, MeshCentral processes posing as Azure binaries) over the azurenetfiles.net indicator, which will rotate quickly
- Higher-ed CISOs should assume ShinyHunters holds unreleased victim lists and stage crisis communications now, rather than reacting after the leak site updates
- The group’s pivot from vishing to server-side ERP exploitation means SaaS-only defenses — MFA hardening, vishing training, token rotation — are no longer sufficient on their own
- Expect a wave of copycat scanning for /PSEMHUB/hub now that the exploitation path is public; every hour an exposed PSEMHUB stays online compounds the risk of a non-ShinyHunters actor showing up next