A critical zero-day in Oracle PeopleSoft turned enterprise HR and finance servers into an open door for the ShinyHunters extortion crew. Tracked as CVE-2026-35273 and rated CVSS 9.8, the flaw let attackers run code on unpatched PeopleSoft systems with no login required, and they used it for weeks before Oracle shipped an emergency fix. The victim list already spans a car maker, an insurance regulator and dozens of universities. This is the second Oracle ERP zero-day of this severity in under a year, and that pattern is the real story.

  • CVE-2026-35273 is an unauthenticated SSRF-to-RCE flaw (CVSS 9.8) in PeopleSoft's PSEMHUB component, exploitable over plain HTTP with no login and no user interaction.
  • Attributed to ShinyHunters (UNC6240 / Bling Libra) by Mandiant and Google's threat team, it was exploited as a zero-day from May 27 to June 9, before Oracle's out-of-band patch on June 10.
  • The campaign hit 300+ PeopleSoft instances across 100+ organizations, and Google says roughly two-thirds were universities and colleges.
  • Nissan confirmed stolen employee data including Social Security numbers, banking and tax information; the NAIC insurance body said only public data was taken. CISA added the flaw to its KEV catalog on June 12.
How the PeopleSoft zero-day attack chain worked An unauthenticated HTTP request triggers SSRF in the PSEMHUB component, escalating to remote code execution, after which attackers deploy MeshCentral disguised as Azure, exfiltrate data with zstd and drop a ransom note. Attackerno auth, HTTP PSEMHUBSSRF then RCE MeshCentralmasked as Azure C2 + exfilzstd, ransom note Scope: 300+ instances, 100+ organizations ~2/3 universities and colleges. Nissan, NAIC, others confirmed. Exploited May 27 to June 9, patched June 10, KEV June 12. No login needed. The perimeter was the whole defense, and it was open. genztech.blog
Fig 1 The chain: an unauthenticated HTTP request triggers SSRF in PSEMHUB, escalates to RCE, then the crew installs MeshCentral disguised as an Azure service and exfiltrates data with zstd before dropping a ransom note.

What is CVE-2026-35273?

It is an unauthenticated server-side request forgery that chains into remote code execution, sitting in the Updates Environment Management (PSEMHUB) component of PeopleSoft PeopleTools 8.61 and 8.62. Rated CVSS 9.8, it needs no authentication, no user interaction and works over plain HTTP, so any attacker who can reach a vulnerable instance can achieve full code execution. That combination, network-reachable plus no credentials, is the worst case for an internet-exposed enterprise app, and PeopleSoft runs exactly the kind of HR and finance data attackers want.

RelatedDirtyClone Hands Local Root on Default Linux Systems

How did ShinyHunters exploit it?

Mandiant and Google's Threat Intelligence Group attribute the campaign to UNC6240, the crew publicly known as ShinyHunters (also tracked as Bling Libra), a financially motivated extortion group. They exploited the flaw as a zero-day from May 27, more than two weeks before Oracle's advisory, using automated scripts to hit servers at scale. After gaining code execution they deployed MeshCentral remote-management agents disguised as legitimate Microsoft Azure services, with filenames like meshagent64-azure-ops.exe and command-and-control routed to a domain dressed up to look Azure-related. Data was compressed with zstd and exfiltrated, and compromised servers were tagged with a ransom note file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.

Who got breached?

The scope is broad: over 300 PeopleSoft instances at more than 100 organizations, with Google noting about two-thirds were academic institutions. Nissan confirmed a breach affecting current and former employees in the US, Canada, Mexico and Brazil, with data that may include Social Security numbers, banking, financial and tax information. The National Association of Insurance Commissioners said the attackers took only publicly available data, outdated logs and configuration files. The University of Nottingham is widely believed to be a victim, and Illinois Central College and Moody Bible Institute appear on the group's leak site.

PeopleSoft (CVE-2026-35273)Oracle E-Business Suite (CVE-2025-61882)
SeverityCVSS 9.8CVSS 9.8
CrewShinyHunters (UNC6240)Cl0p
WhenZero-day from May 27, 2026From August 2025
ClassUnauth SSRF to RCEUnauth RCE
TargetEnterprise ERPEnterprise ERP

Why are ERP platforms the new prime target?

Because they concentrate the crown jewels: payroll, banking details, tax IDs and employee records, all in one internet-reachable system that is painful to patch on a normal cycle. This is the second CVSS 9.8 Oracle ERP zero-day exploited in under eight months, following Cl0p's abuse of an E-Business Suite flaw starting in August 2025. Organized extortion groups have industrialized the playbook: find one unauthenticated RCE in a widely deployed ERP, script it, hit hundreds of orgs before a patch exists, then extort. ERP has become to 2025 and 2026 what managed file-transfer tools were to earlier campaigns.

RelatedAirDrop and Quick Share Flaws Expose Billions of Phones

How do you defend PeopleSoft right now?

Patch as an emergency if you run PeopleTools 8.61 or 8.62, then reduce exposure. Security researchers recommend disabling or restricting the PSEMHUB service and blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter. Monitor outbound SMB traffic on TCP/445 from PeopleSoft servers for NetNTLM hash-capture attempts, and hunt for unauthorized remote-management tools, especially MeshCentral agents masquerading as Azure services. Assume that any exposed, unpatched instance during the exploitation window was probed.

  1. May 27Zero-day exploitation begins. ShinyHunters scripts hit PeopleSoft at scale.
  2. Jun 9Active exploitation window closes. 300+ instances, 100+ orgs compromised.
  3. Jun 10Oracle ships emergency patch. Out-of-band fix for CVE-2026-35273.
  4. Jun 12CISA adds it to KEV. Federal agencies ordered to remediate.
  5. Jun 25 to 29Nissan discloses. Employee SSNs, banking and tax data exposed.
What to watch · 2026
  • The victim list grows. With 100+ orgs hit and only a few named, expect a steady drip of disclosures over the coming weeks.
  • Extortion follow-through. ShinyHunters typically publish or auction data. Watch the leak site for the academic victims especially.
  • The next ERP zero-day. Two 9.8s in eight months is a trend, not a coincidence. ERP patch velocity is now a board-level risk.

Our take

This breach is a clean, ugly demonstration that "internet-exposed ERP with an unauthenticated RCE" is the highest-leverage target on the internet right now. The technical details matter, SSRF into RCE, MeshCentral dressed as Azure, zstd exfiltration, but the strategic lesson is simpler: ERP platforms hold the most sensitive data an organization owns and are patched too slowly to survive a scripted zero-day campaign. Nissan's exposed payroll data and dozens of breached universities are the cost of that gap. Two CVSS 9.8 Oracle ERP zero-days in under a year should end any illusion that these systems can be treated as low-urgency infrastructure. Patch fast, shrink the perimeter, and assume the next one is already being scanned for.

Primary sources

Original analysis by GenZTech. Details as reported by BleepingComputer and CISA, 2026.