Oracle PeopleSoft Zero-Day (CVE-2026-35273): 100+ Orgs Breached Before a Patch Existed
On June 10, 2026, Oracle rushed out an out-of-band security alert for a critical flaw in PeopleSoft Enterprise PeopleTools. By then, the damage was already done. The criminal group ShinyHunters had been silently exploiting that same vulnerability — as an unpatched zero-day — since May 27, working through roughly 300 vulnerable instances at over 100 organizations in the span of two weeks. The University of Nottingham was the first to publicly confirm a breach, with 40 GB of data — including personal and billing records for approximately 455,000 current and former students — already posted to the group's extortion leak site.
The Flaw: Any HTTP Request, Full Server Takeover
CVE-2026-35273 carries a CVSS score of 9.8. It sits in the Updates Environment Management component of PeopleSoft PeopleTools — the internal service behind the Environment Management Hub (PSEMHUB) — and affects versions 8.61 and 8.62. What makes it particularly brutal is the attack bar: no authentication, no user interaction, just network access over HTTP to the /PSEMHUB/ endpoint. A remote attacker can reach it and execute arbitrary code at the server level. Oracle's own advisory language describes it as "remotely exploitable without authentication" with the potential for "remote code execution." That's a CVSS-maxing combination.
Mandiant, which Google tasked with tracking this campaign and notified affected organizations directly, attributes the activity to the group it tracks as UNC6240 — publicly known as ShinyHunters. Mandiant CTO Charles Carmakal confirmed the exploitation window ran from May 27 to June 9, meaning the bug was a live zero-day for every single victim.
Two Weeks of Silence, Then 100 Organizations
The gap between ShinyHunters' first exploit and Oracle's advisory was fourteen days. During that window, no patch existed. No advisory existed. Administrators running PeopleSoft 8.61 or 8.62 with internet-accessible management hubs had no signal that anything was wrong — unless they were watching closely enough to catch the attackers' staging infrastructure, which the group accidentally left exposed.
From those exposed directories, researchers pieced together the attack chain. ShinyHunters deployed a customized build of MeshCentral — an open-source remote monitoring and management tool — disguised as a legitimate Microsoft Azure service. They used shell scripts (uon_fanout.sh was one recovered artifact) to spray stolen credentials via SSH across the local network. WebLogic directories received JSP webshells for persistent access. Compressed data staged for exfiltration left traces in scratch directories. The operation was industrialized and automated; manual effort was reserved for extortion outreach, not reconnaissance.
Who Got Hit and What Was Taken
Sixty-eight percent of the 100-plus compromised organizations are in higher education — primarily U.S. universities — because PeopleSoft's Campus Solutions module is the dominant ERP platform for enrollment management, financial aid, and student records across large universities. The University of Nottingham is the most confirmed example, with leaked records containing names, home addresses, phone numbers, passport numbers, and in many cases records on ethnicity and disability status for current students and alumni. ShinyHunters noted in their leak site post that Nottingham was "one of the first publicly confirmed incidents" and that they had "only just started outreach to affected orgs" — a deliberate signal that more victims will be identified and extorted.
What PeopleSoft Admins Need to Do Right Now
Oracle's remediation guidance, as of the June 10-11 advisory, amounts to mitigation rather than a patch. Two options:
- Multi-server deployments: Disable the Environment Management Hub Service entirely and remove the PSEMHUB application.
- Single-server deployments: Block external access to
/PSEMHUB/*and/PSIGW/HttpListeningConnectorat the network perimeter. These endpoints have no legitimate reason to be internet-facing.
For incident response, look for: unexpected .jsp files in WebLogic server directories, unauthorized binaries in PSEMHUB transaction folders, recently modified XML persistence files, and outbound SMB or SSH traffic to unexpected external hosts. Oracle customers should check My Oracle Support for patch availability as updates are released; the company did not confirm a full patch timeline as of June 11.
The Lesson That Reaches Beyond PeopleSoft
Most small and mid-size businesses don't run Oracle PeopleSoft. But the pattern this attack illustrates touches every business that relies on third-party software: the gap between a vendor knowing about a flaw and you being able to patch it is not your biggest risk. The gap between an attacker finding a flaw and the vendor knowing about it is. Zero-days, by definition, are patches that don't exist yet. The only controls that work in that window are network segmentation (don't expose management interfaces to the internet), anomaly detection (unusual POST traffic to internal services looks different from normal usage), and rigorous data inventory (you can't report a breach accurately if you don't know what data you hold).
ShinyHunters didn't pick universities because they're careless — they picked them because PeopleSoft is the standard, many instances share similar configurations, and student data includes the kind of sensitive identifiers (passport numbers, disability records) that have outsized regulatory exposure. They automated everything. That's the threat model now: organized groups running exploit scripts at scale against known software stacks, not individually targeted intrusions. Whether your stack is Oracle, WordPress, or anything in between, the implication is the same: management interfaces stay behind the firewall, and continuous traffic monitoring is the early warning system that catches anomalies before a two-week silent compromise becomes a 40 GB leak.
At Falcon Internet, continuous NOC monitoring is part of why anomalous traffic patterns to management endpoints don't stay quiet for fourteen days — that's exactly the signal that interrupts an attack in progress before data leaves the building.
