ShinyHunters' PeopleSoft Zero-Day Rampage: 100+ Organizations Breached Before Oracle Even Published an Advisory
ShinyHunters weaponized a PeopleSoft zero-day to breach 100+ organizations in two weeks. 455K student records at Nottingham alone. Oracle's advisory came last.

Between May 27 and June 9, 2026, the ShinyHunters extortion group exploited a critical zero-day in Oracle PeopleSoft to breach more than 100 organizations across 300 instances. Oracle did not publish its security advisory until June 10, the day after ShinyHunters began publishing stolen data. For the entire duration of the campaign, the vulnerability was unpatched and unknown to defenders.
The flaw, CVE-2026-35273 (CVSS 9.8), is an unauthenticated remote code execution vulnerability in the Environment Management component of PeopleSoft PeopleTools versions 8.61 and 8.62. It requires no login, no user interaction, and has low attack complexity. A single HTTP request to an exposed Environment Management Hub endpoint grants full server takeover.
Google's Mandiant team, tracking ShinyHunters as UNC6240, identified the campaign and notified over 100 organizations whose IP addresses matched vulnerable endpoints. Sixty-eight percent were higher education institutions. The University of Nottingham is the first confirmed victim, with over 455,000 current and former student records published, including names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities.
The Industrialization of ERP Exploitation
What separates this campaign from a typical zero-day exploitation is the scale and automation. ShinyHunters did not target one organization at a time. They deployed automated scanning and exploitation scripts across the entire internet-facing PeopleSoft landscape simultaneously.
Mandiant's analysis of exposed attacker staging directories revealed the operational timeline. On May 27, attackers installed MeshCentral, an open-source remote management server, to establish command-and-control infrastructure. They disguised the platform as legitimate Microsoft Azure services. From there, they scanned for vulnerable PeopleSoft deployments, exploited CVE-2026-35273 for initial access, then moved laterally within compromised networks using SSH credential spraying with hardcoded username and password lists.
The post-exploitation script, named [victim]_fanout.sh, spread over SSH by spraying credentials against internal hosts, then dropped a marker file: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT. Exfiltrated data was compressed with zstd and transmitted to servers hosting ShinyHunters' public leak site.
The data stolen from PeopleSoft environments is among the most sensitive in enterprise computing: payroll records, financial aid data, immigration documents, health information, student records, and employee PII. PeopleSoft manages the data that organizations are legally obligated to protect most carefully, and ShinyHunters accessed it all through a single unauthenticated HTTP request.
The ShinyHunters Pattern
This is not ShinyHunters' first mass exploitation campaign. The pattern has become their signature: identify a vulnerability in a widely deployed enterprise platform, automate exploitation at scale, and monetize stolen data through extortion.
In 2024, credential-stuffing attacks against Snowflake-connected environments led to breaches at Ticketmaster, Santander Bank, and dozens of other organizations. In March 2026, misconfigured Salesforce Aura endpoints enabled unauthenticated data extraction across hundreds of organizations. Now Oracle PeopleSoft.
Three campaigns in eighteen months. Snowflake, Salesforce, PeopleSoft. Each targeting a shared enterprise platform. Each producing breaches across dozens or hundreds of organizations from a single vulnerability. The pattern is clear: shared platforms create shared attack surfaces, and ShinyHunters has built the operational capability to exploit them at scale.
ShinyHunters told TechCrunch their original goal was to compromise an FBI PeopleSoft server to post a statement denying involvement in recent swatting attempts. That attempt failed. The education sector was apparently a target of opportunity rather than intent, making the scale of the damage even more sobering.
What Organizations Should Do
Check for compromise indicators immediately. Search PeopleSoft logs for connections from attacker IPs: 142.11.200[.]186-190, 108.174.202[.]99, 176.120.22[.]24. Search web and application server directories for README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT. Check for unauthorized MeshCentral installations.
Disable or restrict the Environment Management Hub. Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter. In multi-server configurations, disable the EMHub service. In single-server configurations, remove the PSEMHUB application entirely.
Apply the Oracle patch and rotate credentials. Upgrade to the patched PeopleSoft PeopleTools version. Rotate credentials on all default administrative accounts: psoft, oracle, linuxadm. Review and restrict all PeopleSoft administrative access.
Assess your ERP exposure posture. If PeopleSoft or any ERP system is accessible from the internet, it is a target. Enterprise resource planning systems were designed for internal use. Exposing them to the public internet without additional zero trust controls is accepting a risk that ShinyHunters has demonstrated they will exploit.
Extend the review to your vendor ecosystem. If your vendors or partners run PeopleSoft, their breach is your data breach. Initiate vendor outreach to confirm patch status and IOC analysis. Organizations handling employee PII, financial records, health information, or immigration data on your behalf represent the highest downstream risk.
Key Takeaways
- ShinyHunters (UNC6240) exploited CVE-2026-35273, a CVSS 9.8 unauthenticated RCE in Oracle PeopleSoft, to breach 100+ organizations across 300 instances between May 27 and June 9
- Oracle did not publish its advisory until June 10, making this a zero-day for the entire duration of the campaign
- 68% of targeted organizations were in higher education; University of Nottingham confirmed 455,000 student records exposed
- ShinyHunters automated exploitation at scale using MeshCentral for C2, credential spraying for lateral movement, and zstd compression for data exfiltration
- This is ShinyHunters' third mass exploitation campaign in 18 months (Snowflake 2024, Salesforce March 2026, PeopleSoft June 2026)
- PeopleSoft manages payroll, HR, financial aid, immigration, and health data, making the exposure among the most sensitive possible
- Organizations should immediately disable internet-facing EMHub endpoints, check for IOCs, and rotate all PeopleSoft administrative credentials
Deepak Gupta is the co-founder and CEO of GrackerAI. He previously founded a CIAM platform that scaled to serve over 1B+ users globally. He writes about AI, cybersecurity, and digital identity at guptadeepak.com.
Get the newsletter
New writing on identity, AI security, and building software, delivered when it ships. No tracking pixels, no funnels, unsubscribe with one click.