Back

ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Over 100 Organizations Compromised

Severity: High (Score: 77.2)

Sources: Bleepingcomputer, Techcrunch, Rescana, Abhs.In, Blogs.Oracle

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: vulnerability, security, oracle, alert, cve-2026-35273, emergency, critical

Severity indicators: critical, emergency, vulnerability, rce, CVE:CVE-2026-35273

Summary

A critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft is being actively exploited by the ShinyHunters group, affecting versions 8.61 and 8.62. The vulnerability allows unauthenticated remote code execution, enabling attackers to compromise systems with a single HTTP request. Over 100 organizations, primarily in the education sector, have reportedly been breached, including the University of Nottingham, which lost approximately 500,000 student records. The attacks were confirmed by Mandiant and other cybersecurity firms, which noted the use of a 'gadget chain' to exploit the flaw. Oracle has issued an emergency security alert but has yet to release a patch. The ongoing campaign is characterized by rapid exploitation and data exfiltration, with attackers leveraging publicly available proof-of-concept code. Organizations are urged to implement immediate mitigations to protect against this threat. Key Points: • CVE-2026-35273 allows unauthenticated remote code execution in Oracle PeopleSoft. • ShinyHunters claims to have breached over 100 organizations, including the University of Nottingham. • Oracle has issued a security alert but has not yet released a patch for the vulnerability.

Detailed Analysis

**Impact** Over 100 organizations have been compromised, primarily in the higher education sector, which accounts for 68% of affected entities. Notable victims include the University of Nottingham, where approximately 500,000 student records containing personal and academic data were stolen. Other impacted sectors include large enterprises, government agencies, and hospitals using Oracle PeopleSoft for HR, payroll, and administrative functions. The breach results in data theft, operational disruption, and extortion demands. **Technical Details** The attack exploits CVE-2026-35273, a critical unauthenticated remote code execution vulnerability (CVSS 9.8) in the Environment Management component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. The threat actor UNC6240 (ShinyHunters) uses a gadget chain combining this zero-day with prior vulnerabilities to achieve full system compromise via HTTP(S) endpoints such as /OA_HTML/runforms.jsp. Attackers deploy customized MeshCentral agents disguised as Microsoft Azure services for command and control, lateral movement, and defacement, with staging servers exposing open directories on port 8888. Indicators include IPs 142.11.200.186–190 and the domain azurenetfiles.net. **Recommended Response** Apply Oracle’s emergency mitigations immediately and prepare to deploy the forthcoming official patch for CVE-2026-35273. Monitor logs for connections from the identified IP addresses and suspicious MeshCentral agent binaries (e.g., meshagent32-azure-ops.exe). Deploy detection templates such as Nuclei scans targeting PeopleSoft endpoints and watch for exploitation attempts using publicly available PoC scripts. Harden PeopleSoft environments by restricting internet-facing access and reviewing authentication configurations.

Source articles (12)

  • Security Alert CVE-2026-35273 Released — Blogs.Oracle · 2026-06-11
    Oracle has just released Security Alert CVE-2026-35273 . This vulnerability affects PeopleSoft Enterprise PeopleTools. This vulnerability has a CVSS v3.1 Base Score of 9.8. If successfully exploited,…
  • Oracle Emergency Security Update to Fix Critical RCE Vulnerability — Cybersecuritynews · 2026-06-11
    Oracle has issued an emergency Security Alert to address a critical remote code execution vulnerability (CVE-2026-35273) affecting PeopleSoft Enterprise PeopleTools. The vulnerability carries a CVSS v…
  • Oracle PeopleSoft servers under attack, Oracle pushes out-of — Feeds2.Feedburner · 2026-06-11
    A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools is being exploited in the wild, Charles Carmakal, CTO at cybersecurity firm Mandiant, part of Google Cloud, warned today. The…
  • ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit — Mandiant · 2026-06-11
    Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastruc…
  • ShinyHunters Exploits Oracle PeopleSoft Zero-Day, 100+ Orgs Hit — Abhs.In · 2026-06-11
    CVE-2026-35273 in Oracle PeopleSoft allows unauthenticated remote code execution. ShinyHunters has claimed over 100 breaches including 500,000 student records from the University of Nottingham. ShinyH…
  • Oracle PeopleSoft PeopleTools Zero-Day (CVE-2026-35273) Actively Exploited — Rescana · 2026-06-11
    Oracle has issued an urgent out-of-band security alert addressing a critical zero-day vulnerability in PeopleSoft PeopleTools , specifically impacting versions 8.61 and 8.62. This vulnerability, track…
  • TechJack Solutions — techjacksolutions.com · 2026-06-11
    ShinyHunters, a financially motivated extortion group, claims to be actively exploiting a reported vulnerability chain in Oracle PeopleSoft to steal data and demand ransom. The group reports approxima…
  • Oracle mitigates PeopleSoft zero — Bleepingcomputer · 2026-06-11
    Oracle is warning a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data t…
  • Oracle warns of security bug that hackers abused to breach 100+ companies — Techcrunch · 2026-06-11
    Oracle warned its corporate customers that there is a critical-rated vulnerability in its PeopleSoft software, which is used by large companies to manage payroll and human resources, a day after a cyb…
  • ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities — Thehackernews · 2026-06-11
    Learn how to map hidden AI tools and agents directly to human owners. Join SailPoint to unify human, machine, and AI identities. Learn how to validate automated pentesting results for accurate securit…
  • Help Net Security — www.helpnetsecurity.com · 2026-06-11
  • Oracle Security Alerts — Critical Patch Update advisory page — www.oracle.com · 2026-06-11

Timeline

  • 2026-03-20 — CVE-2026-33017 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-20245 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-09 — Data leaks reported on ShinyHunters DLS: Stolen data from breached organizations began appearing on the ShinyHunters Data Leak Site, confirming the scale of the attack.
  • 2026-06-10 — Oracle issues emergency security alert: Oracle released an urgent advisory regarding the critical vulnerability, urging immediate action from affected organizations.
  • 2026-06-11 — CVE-2026-35273 published: Oracle disclosed a critical zero-day vulnerability in PeopleSoft affecting versions 8.61 and 8.62.
  • 2026-06-11 — ShinyHunters claims over 100 breaches: The group reported compromising approximately 300 instances across more than 100 organizations, including significant data theft.

CVEs

  • CVE-2026-20245
  • CVE-2026-33017
  • CVE-2026-35273

Related entities

  • ShinyHunters (Apt Group)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Canvas/Instructure Attack (Campaign)
  • PeopleSoft Campaign (Campaign)
  • Vercel Breach (Campaign)
  • AT&T (Company)
  • Canvas/Instructure (Company)
  • Gainsight (Company)
  • Instructure (Company)
  • Oracle (Company)
  • Salesforce (Company)
  • Snowflake (Company)
  • Ticketmaster (Company)
  • University Of Nottingham (Company)
  • Education (Company)
  • Microsoft Azure (Company)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-306 - Missing Authentication For Critical Function (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • azurenetfiles.net (Domain)
  • for.us (Domain)
  • rescana.com (Domain)
  • timeapi.io (Domain)
  • Crates.io (Platform)
  • Azure NetApp Files (Platform)
  • FreeBSD (Platform)
  • Fusion Middleware (Platform)
  • Linux (Platform)
  • MacOS (Platform)
  • Oracle Database (Platform)
  • Oracle PeopleSoft (Platform)
  • Oracle PeopleSoft PeopleTools (Platform)
  • PeopleSoft (Platform)
  • PeopleSoft Enterprise PeopleTools (Platform)
  • PeopleTools (Platform)
  • WebLogic (Platform)
  • Windows (Platform)
  • [email protected] (Email)
  • Financial (Industry)
  • Government (Industry)
  • Healthcare (Industry)
  • 142.11.200.186 (Ipv4)
  • 142.11.200.187 (Ipv4)
  • 142.11.200.188 (Ipv4)
  • 142.11.200.189 (Ipv4)
  • 176.120.22.24 (Ipv4)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.004 - Unix Shell (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Canvas (Tool)
  • Python (Tool)
  • Acme-client (Tool)
  • Authenticode (Tool)
  • Exp.py (Tool)
  • Meshagent32-azure-ops.exe (Tool)
  • Meshagent64-azure-ops.exe (Tool)
  • Meshagent64-v2.exe (Tool)
  • MeshCentral (Tool)
  • Meshctrl.js (Tool)
  • Npm (Tool)
  • Nuclei (Tool)
  • Cl0p (Ransomware Group)
  • 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed