A critical zero-day in Oracle PeopleSoft turned enterprise HR and finance servers into an open door for the ShinyHunters extortion crew. Tracked as CVE-2026-35273 and rated CVSS 9.8, the flaw let attackers run code on unpatched PeopleSoft systems with no login required, and they used it for weeks before Oracle shipped an emergency fix. The victim list already spans a car maker, an insurance regulator and dozens of universities. This is the second Oracle ERP zero-day of this severity in under a year, and that pattern is the real story.
- CVE-2026-35273 is an unauthenticated SSRF-to-RCE flaw (CVSS 9.8) in PeopleSoft's PSEMHUB component, exploitable over plain HTTP with no login and no user interaction.
- Attributed to ShinyHunters (UNC6240 / Bling Libra) by Mandiant and Google's threat team, it was exploited as a zero-day from May 27 to June 9, before Oracle's out-of-band patch on June 10.
- The campaign hit 300+ PeopleSoft instances across 100+ organizations, and Google says roughly two-thirds were universities and colleges.
- Nissan confirmed stolen employee data including Social Security numbers, banking and tax information; the NAIC insurance body said only public data was taken. CISA added the flaw to its KEV catalog on June 12.
What is CVE-2026-35273?
It is an unauthenticated server-side request forgery that chains into remote code execution, sitting in the Updates Environment Management (PSEMHUB) component of PeopleSoft PeopleTools 8.61 and 8.62. Rated CVSS 9.8, it needs no authentication, no user interaction and works over plain HTTP, so any attacker who can reach a vulnerable instance can achieve full code execution. That combination, network-reachable plus no credentials, is the worst case for an internet-exposed enterprise app, and PeopleSoft runs exactly the kind of HR and finance data attackers want.
RelatedDirtyClone Hands Local Root on Default Linux Systems
How did ShinyHunters exploit it?
Mandiant and Google's Threat Intelligence Group attribute the campaign to UNC6240, the crew publicly known as ShinyHunters (also tracked as Bling Libra), a financially motivated extortion group. They exploited the flaw as a zero-day from May 27, more than two weeks before Oracle's advisory, using automated scripts to hit servers at scale. After gaining code execution they deployed MeshCentral remote-management agents disguised as legitimate Microsoft Azure services, with filenames like meshagent64-azure-ops.exe and command-and-control routed to a domain dressed up to look Azure-related. Data was compressed with zstd and exfiltrated, and compromised servers were tagged with a ransom note file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Who got breached?
The scope is broad: over 300 PeopleSoft instances at more than 100 organizations, with Google noting about two-thirds were academic institutions. Nissan confirmed a breach affecting current and former employees in the US, Canada, Mexico and Brazil, with data that may include Social Security numbers, banking, financial and tax information. The National Association of Insurance Commissioners said the attackers took only publicly available data, outdated logs and configuration files. The University of Nottingham is widely believed to be a victim, and Illinois Central College and Moody Bible Institute appear on the group's leak site.
| PeopleSoft (CVE-2026-35273) | Oracle E-Business Suite (CVE-2025-61882) | |
|---|---|---|
| Severity | CVSS 9.8 | CVSS 9.8 |
| Crew | ShinyHunters (UNC6240) | Cl0p |
| When | Zero-day from May 27, 2026 | From August 2025 |
| Class | Unauth SSRF to RCE | Unauth RCE |
| Target | Enterprise ERP | Enterprise ERP |
Why are ERP platforms the new prime target?
Because they concentrate the crown jewels: payroll, banking details, tax IDs and employee records, all in one internet-reachable system that is painful to patch on a normal cycle. This is the second CVSS 9.8 Oracle ERP zero-day exploited in under eight months, following Cl0p's abuse of an E-Business Suite flaw starting in August 2025. Organized extortion groups have industrialized the playbook: find one unauthenticated RCE in a widely deployed ERP, script it, hit hundreds of orgs before a patch exists, then extort. ERP has become to 2025 and 2026 what managed file-transfer tools were to earlier campaigns.
RelatedAirDrop and Quick Share Flaws Expose Billions of Phones
How do you defend PeopleSoft right now?
Patch as an emergency if you run PeopleTools 8.61 or 8.62, then reduce exposure. Security researchers recommend disabling or restricting the PSEMHUB service and blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter. Monitor outbound SMB traffic on TCP/445 from PeopleSoft servers for NetNTLM hash-capture attempts, and hunt for unauthorized remote-management tools, especially MeshCentral agents masquerading as Azure services. Assume that any exposed, unpatched instance during the exploitation window was probed.
- May 27Zero-day exploitation begins. ShinyHunters scripts hit PeopleSoft at scale.
- Jun 9Active exploitation window closes. 300+ instances, 100+ orgs compromised.
- Jun 10Oracle ships emergency patch. Out-of-band fix for CVE-2026-35273.
- Jun 12CISA adds it to KEV. Federal agencies ordered to remediate.
- Jun 25 to 29Nissan discloses. Employee SSNs, banking and tax data exposed.
- The victim list grows. With 100+ orgs hit and only a few named, expect a steady drip of disclosures over the coming weeks.
- Extortion follow-through. ShinyHunters typically publish or auction data. Watch the leak site for the academic victims especially.
- The next ERP zero-day. Two 9.8s in eight months is a trend, not a coincidence. ERP patch velocity is now a board-level risk.
Our take
This breach is a clean, ugly demonstration that "internet-exposed ERP with an unauthenticated RCE" is the highest-leverage target on the internet right now. The technical details matter, SSRF into RCE, MeshCentral dressed as Azure, zstd exfiltration, but the strategic lesson is simpler: ERP platforms hold the most sensitive data an organization owns and are patched too slowly to survive a scripted zero-day campaign. Nissan's exposed payroll data and dozens of breached universities are the cost of that gap. Two CVSS 9.8 Oracle ERP zero-days in under a year should end any illusion that these systems can be treated as low-urgency infrastructure. Patch fast, shrink the perimeter, and assume the next one is already being scanned for.
- AdvisoryCISA Known Exploited Vulnerabilities CVE-2026-35273 listing and deadlines
- Threat intelGoogle confirms ShinyHunters exploitation attribution and scope
- DisclosureNissan breach disclosure employee data exposed
- VendorOracle addresses the PeopleSoft flaw the emergency patch
Original analysis by GenZTech. Details as reported by BleepingComputer and CISA, 2026.
