ShinyHunters Exploits Oracle PeopleSoft Zero-Day CVE-2026-35273 to Breach 100+ Universities and Companies

If your organization — or a school your family is connected to — runs Oracle PeopleSoft for HR or student records, this is one of the most urgent security stories of the week. The ShinyHunters extortion crew has exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. More than 100 organizations were targeted, and the vulnerability was a true zero-day — Oracle had no patch in place when the attacks were already underway.

Here's what you need to know, and what to do about it.

What Is Oracle PeopleSoft — and Who Uses It?

Oracle PeopleSoft is a suite of enterprise software used by large organizations to manage payroll, human resources, student records, and financial operations. TechCrunch describes it as software "used by large companies to manage payroll and human resources." Universities are especially heavy users, running PeopleSoft to manage everything from enrollment and student financial aid to alumni records.

In the Yuba City area, this is less likely to be software a local shop or restaurant is running — but it's absolutely something regional colleges, school districts, healthcare organizations, and larger employers may have deployed. If you or your business contracts with, or has data stored by, any of those institutions, this breach affects you indirectly.

The Vulnerability: CVE-2026-35273

The flaw, CVE-2026-35273, is a remote code execution bug in Oracle PeopleSoft PeopleTools rated 9.8 out of 10 on the severity scale. It sits in the Updates Environment Management component — the piece behind the Environment Management Hub (PSEMHUB). It affects PeopleTools versions 8.61 and 8.62, and Oracle says earlier, unsupported versions are likely vulnerable too.

What makes it especially dangerous: it requires no login and no user interaction. An attacker just needs network access over HTTP to take over the server entirely. If your PeopleSoft Environment Management Hub is reachable from the public internet, you are exposed.

Oracle credited researchers from TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability, but published its advisory on June 10 — after the attacks had already been running since May 27. That's the definition of a zero-day exploitation campaign.

What ShinyHunters Did With It

Google's Mandiant security unit, which tracks ShinyHunters as UNC6240, has confirmed the activity ran between May 27 and June 9, 2026. Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild.

The attackers' own infrastructure was inadvertently exposed — researcher @nahamike01 publicly flagged open directories, and Mandiant then identified five sequential IP addresses running Python's SimpleHTTP server on port 8888. Those servers revealed the full playbook: custom remote-management agents disguised as Microsoft Azure binaries, a lateral-movement script that spread over SSH by spraying hardcoded credentials against internal hosts, and a command-and-control server at the domain azurenetfiles.net — deliberately chosen to look like a legitimate Azure NetApp Files address.

Once inside, the script dropped a file called README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. Stolen data was compressed and pushed to servers hosting ShinyHunters' leak site.

Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. 68% were in higher education, most in the United States. Some blocked the attack in time; others were compromised and had data posted publicly.

The University of Nottingham is one confirmed victim. Have I Been Pwned has counted approximately 455,000 unique email addresses in the leaked data, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities.

ShinyHunters' Escalating Pattern

This isn't the first time we've seen ShinyHunters go after education. As TechCrunch notes, the group has in the past year targeted organizations using Salesforce, Gainsight, and education tech company Instructure — the company behind the Canvas platform. Earlier this year, Instructure reportedly paid the hackers after being breached twice.

What's new here is the method. ShinyHunters has historically relied on stolen tokens, vishing (voice phishing), and weak access controls to get into SaaS platforms. Exploiting a server-side zero-day in on-premises ERP software is a significant step up in technical sophistication — and it's aimed at the same data-rich targets: schools, universities, and large organizations sitting on troves of sensitive personal information.

Immediate Steps for PeopleSoft Administrators

If your organization runs Oracle PeopleSoft, here is the prioritized action list based on Oracle's guidance and Mandiant's analysis:

1. Restrict internet access to PSEMHUB endpoints immediately. Block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at your network perimeter or firewall. This does not break normal user sessions.

2. Disable or remove the Environment Management Hub.

• On multi-server setups: disable the EMHub Service.
• On single-server setups: remove the PSEMHUB application entirely.

3. Don't rely on WAF rules alone. Mandiant warns that WAF body-inspection rules are not sufficient, as they can be bypassed. Network-level blocking is required.

4. Hunt for signs of existing compromise. Look for:

• External POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector in WebLogic access logs
• Unexpected .jsp files under the PSEMHUB.war web application directory
• Unusual folders named logs, persistantstorage, or scratchpad under PSEMHUB paths
• Recently modified .xml files under envmetadata/data/environment (these can be used for persistence that fires on restart)
• Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations

5. Apply Oracle's patch as soon as it's confirmed available through My Oracle Support for your PeopleTools version.

What Small Businesses and Local Organizations Should Know

Most small businesses in Yuba City aren't running Oracle PeopleSoft directly — this is enterprise-grade software. But this story is a sharp reminder of a principle that applies to every organization of any size: externally accessible administrative services are attack surface, and they need to be locked down.

Whether you're running PeopleSoft, a small business NAS, a remote desktop service, or a web admin panel — if it's reachable from the internet and doesn't need to be, it shouldn't be. That's a basic hygiene principle that stops a significant percentage of attacks before they start.

If you're a local business that uses any enterprise HR or ERP software and you're not sure what's exposed on your network, that's a conversation worth having with your IT provider. If you need a second set of eyes on your network exposure, we're here at Computer Works.

The Bottom Line

A critical, unauthenticated remote code execution flaw in Oracle PeopleSoft was exploited as a zero-day for nearly two weeks before Oracle published an advisory. More than 100 organizations were hit, nearly half a million people's personal data was leaked, and ShinyHunters is signaling that victim outreach has only just begun. If you run PeopleSoft, treat this as an emergency. If you don't, let it be a reminder that the most dangerous vulnerabilities are often the ones you haven't patched yet — because there's nothing to patch.

---CONTENT_MARKDOWN---