Oracle PeopleSoft CVE-2026-35273: 100 Organizations Breached, Close PSEMHUB Now

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
ShinyHunters breached 100 organizations across 14 days by exploiting CVE-2026-35273, a CVSS 9.8 unauthenticated RCE in Oracle PeopleSoft's PSEMHUB component, stealing 455,000 personal records including passport numbers and disability data from University of Nottingham before Oracle published its first advisory on June 10, 2026.
CVE-2026-35273 is a critical remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, specifically the Environment Management Hub (PSEMHUB) component. The flaw requires no authentication and no user interaction: an attacker needs only HTTP network access to the PSEMHUB endpoint to execute arbitrary code as the PeopleSoft service account. Google Threat Intelligence Group (GTIG), tracking ShinyHunters as UNC6240, notified over 100 global organizations after confirming active exploitation between May 27 and June 9, 2026.
The attack chain ShinyHunters developed exploits a logic flaw in PSEMHUB's XML deserialization routine, deploys custom MeshCentral remote management agents disguised as Microsoft Azure binaries, exfiltrates data using the zstd compression tool, and leaves a README ransom note in PeopleSoft directories. Sixty-eight percent of confirmed victims were higher education institutions, where PeopleSoft serves as the primary ERP platform for student records, HR, financial aid, and research administration.
As of June 12, 2026, Oracle has released emergency mitigation guidance but no permanent patch. Your PeopleSoft PSEMHUB endpoints are either already blocked or they remain reachable by ShinyHunters infrastructure today. The gap is architectural: PSEMHUB was never designed to face the public internet. Close it this weekend.
How Does Oracle PeopleSoft CVE-2026-35273 PSEMHUB RCE Work?
CVE-2026-35273 is a remote code execution vulnerability in the Environment Management Hub component of Oracle PeopleSoft PeopleTools, affecting versions 8.61 and 8.62. The flaw requires no authentication, no user interaction, and no privileged network position. An attacker needs only HTTP access to a vulnerable PeopleSoft instance to execute arbitrary code as the PeopleSoft service account.
PSEMHUB runs as part of the PeopleSoft web layer and is accessible via the /PSEMHUB/hub endpoint. Oracle designed PSEMHUB to allow PeopleTools administrators to manage distributed environment configurations across multi-server PeopleSoft deployments. Many organizations leave the PSEMHUB endpoint reachable from external networks alongside the PeopleSoft Portal login page, assuming it functions only as an internal administrative tool.
The technical mechanism ShinyHunters exploited combines legacy XML deserialization weaknesses in the PSEMHUB request handling pipeline with a zero-day logic flaw that bypasses input validation. Sending a specially crafted HTTP POST request to /PSEMHUB/hub triggers XMLDecoder processing on attacker-controlled input, which allows arbitrary Java object instantiation and code execution within the PSEMHUB JVM process. The related /PSIGW/HttpListeningConnector endpoint carries a similar exposure surface and was observed in attacker reconnaissance activity during the campaign.
Once code executes, ShinyHunters deployed a MeshCentral remote management agent renamed to mimic Microsoft Azure service binaries, establishing a persistent, interactive C2 channel over azurenetfiles.net. From that foothold, the group conducted SSH-based lateral movement by parsing /etc/hosts to identify other PeopleSoft-related systems, then exfiltrated compressed archives using the zstd tool to attacker-controlled infrastructure.
Oracle's vulnerability disclosure credited TrendAI Zero Day Initiative and TrendAI Research with the discovery. The June 10, 2026 advisory covers PeopleTools 8.61 and 8.62 on Premier and Extended Support. Earlier, unsupported versions are also likely affected but are not eligible for the mitigation package.
ShinyHunters Campaign Scope: Who Is at Risk Today?
ShinyHunters, tracked by Mandiant as UNC6240, ran their Oracle PeopleSoft zero-day campaign from May 27 through June 9, 2026. Google Threat Intelligence Group confirmed the exploitation scope and notified over 100 organizations whose external IP ranges correlated with vulnerable PeopleSoft endpoints identified through internet-wide scanning.
Sixty-eight percent of the confirmed targets were higher education institutions. PeopleSoft is the dominant ERP platform in the university sector, used worldwide to manage student records, HR, financial aid, payroll, and research administration. The combination of a high-value data profile and historically slower patch cycles in academic IT environments made universities the primary target for this campaign.
The United States accounted for the majority of confirmed victims, reflecting both PeopleSoft's market concentration in American universities and the density of internet-accessible PeopleSoft deployments in that geography. University of Nottingham is the only organization to have publicly confirmed unauthorized activity as of June 12, 2026.
ShinyHunters' PSEMHUB campaign represents a capability escalation from the group's prior operations. Earlier attacks relied on voice phishing to compromise Okta or Salesforce credentials before exfiltrating SaaS platform data, as documented in the ShinyHunters Canvas LMS breach of 275 million student records. The PSEMHUB zero-day requires no phishing, no credential theft, and no insider access. Network reachability to a vulnerable endpoint is the entire requirement for initial access.
The campaign used a consistent attacker infrastructure pattern. Five sequential IP addresses in the 142.11.200.186-142.11.200.190 range hosted Python SimpleHTTP servers on port 8888 for payload staging. The domain azurenetfiles.net, which mimics the legitimate Azure NetApp Files service name, served as the primary C2 endpoint for MeshCentral-based remote access after initial exploitation.
“Google Threat Intelligence Group notified over 100 global organizations whose IP addresses correlated with potentially vulnerable PeopleSoft endpoints. 68% of victims were concentrated in the higher education sector.”
Google Threat Intelligence Group, June 2026
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
University of Nottingham Breach: What ShinyHunters Stole
University of Nottingham is the first confirmed victim to publicly acknowledge the breach, and the scope of the stolen data illustrates why higher education PeopleSoft deployments carry exceptional risk in this campaign.
ShinyHunters published 455,000 unique email addresses from Nottingham's PeopleSoft environment, with associated personal data including full names, postal addresses, telephone numbers, passport numbers, ethnicity, and disability status. The disclosure of disability status and ethnicity alongside identification documents creates compounding harm: the combination is sufficient for targeted identity fraud, discriminatory profiling, or coercive approaches using sensitive information as leverage.
Staff salary data was also reported as part of the stolen dataset, adding financial exposure for every current and former Nottingham employee whose records were held in the PeopleSoft HR module during the compromise window. PeopleSoft's role as an integrated ERP system means a single compromised instance can yield HR records, student financial data, research grant information, and administrative credentials in a single exfiltration operation.
ShinyHunters' post-exploitation pattern in this campaign followed a documented extortion playbook. After achieving code execution and establishing persistence via the MeshCentral agent, the group deposited README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT files in PeopleSoft directories as both a notification mechanism and a proof-of-access signal to the victim. Data was then compressed with zstd and exfiltrated via SSH to attacker-controlled infrastructure before any ransom demand.
Organizations in the education, healthcare, and financial services sectors running PeopleSoft HR or student information modules face the highest data sensitivity risk if PSEMHUB was reachable during the May 27 to June 9 window. The ServiceNow data breach from unauthenticated API exposure followed a structurally similar pattern: an internal management interface reachable from the public internet became the entry point for a mass data theft campaign.
CVE-2026-35273 IOCs: Detect the PSEMHUB Attack in Your Environment
Active detection requires reviewing WebLogic access logs for POST requests originating from external IP addresses targeting the /PSEMHUB/hub or /PSIGW/HttpListeningConnector paths. Any external POST to these paths during or after the May 27 to June 9 exploitation window warrants immediate incident investigation.
Six specific filesystem indicators correlate with confirmed ShinyHunters exploitation in this campaign.
Unexpected .jsp files under the PSEMHUB.war deployment directory indicate webshell deployment. ShinyHunters used JSP-based persistence mechanisms in addition to the MeshCentral agent to maintain access across PeopleSoft server restarts.
Recently modified .xml files in the PSEMHUB configuration paths indicate XMLDecoder-based persistence implants. Modifications to configuration XML during the campaign window, particularly files the PeopleSoft service account would not normally write, are high-fidelity indicators of compromise.
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT files deposited in PeopleSoft application directories confirm post-exploitation activity in all documented victims.
Binaries masquerading as Azure or Microsoft service names in PeopleSoft service account home directories or in /tmp indicate deployed MeshCentral agents. ShinyHunters used naming conventions like AzureNetFiles.service or azure-monitoring-agent to blend with legitimate Azure tooling on mixed-environment servers.
Outbound SMB traffic on port 445 from PeopleSoft application hosts to external IP addresses is anomalous and indicates lateral movement or data staging activity.
DNS queries or connections to azurenetfiles.net from any internal host confirm active MeshCentral C2 communication.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation: Close the PeopleSoft Exposure Before the Weekend
No permanent patch for CVE-2026-35273 exists as of June 12, 2026. Oracle's emergency advisory requires a support portal login, and mitigation package availability varies by PeopleTools version and support tier. Every organization with a PeopleSoft deployment must treat this as an architectural risk to eliminate this weekend, not a software update to schedule next month.
The gap to close is the exposure of PSEMHUB to external networks. Internal-only PSEMHUB access breaks the exploit chain entirely regardless of patch status: the vulnerability requires network reachability to the /PSEMHUB/hub endpoint. Blocking that access is a firewall change that takes minutes and does not require Oracle involvement, test environment validation, or a maintenance window approval.
For organizations that have already restricted PSEMHUB, the remediation priority shifts to determining whether the endpoint was reachable between May 27 and June 9, and if so, confirming whether IOCs described in the previous section are present in logs and on the filesystem.
Apply these steps in order before Monday:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why Oracle PeopleSoft CVE-2026-35273 Matters for Your Organization
Oracle PeopleSoft CVE-2026-35273 is not a narrow academic sector problem. PeopleSoft is deployed across financial services organizations, healthcare systems, government agencies, and large enterprises for HR, payroll, procurement, and financial management. Any PeopleSoft instance with internet-facing PSEMHUB access carries the same CVSS 9.8 exposure that put 100+ organizations at risk between May 27 and June 9.
The scale of ShinyHunters' ambition in this campaign reflects a shift in extortion group targeting. Earlier UNC6240 operations relied on social engineering and credential theft against cloud SaaS platforms. Developing and operationalizing a PeopleSoft zero-day requires significantly deeper capability investment, signaling that this group has moved from opportunistic credential abuse to vulnerability research and exploit development. The same infrastructure and TTPs can be retargeted against any reachable PeopleSoft instance, regardless of sector.
The data sensitivity profile of PeopleSoft deployments amplifies the impact of any breach. A single compromised PeopleSoft instance typically contains data that regulators treat as highest risk: passport numbers, disability records, salary information, financial aid details, and research grant administration data. A breach that triggers GDPR notification obligations, FERPA violation investigations, or SEC cybersecurity incident disclosures carries compliance cost that can exceed the operational value of leaving PSEMHUB accessible.
The absence of a permanent patch makes the exposure window open-ended. Organizations that cannot immediately apply Oracle's emergency mitigation should treat network isolation of PSEMHUB as a non-negotiable interim control. A PeopleSoft deployment that cannot be accessed over PSEMHUB from the public internet remains fully functional for its internal users. A PeopleSoft deployment that remains accessible to ShinyHunters infrastructure is an active liability.
“The University of Nottingham confirmed unauthorized activity on its systems. Reports indicate approximately 40 gigabytes of data stolen including 455,000 unique email addresses, passport numbers, and disability information.”
BleepingComputer, June 2026
The bottom line
Oracle PeopleSoft CVE-2026-35273 is a CVSS 9.8 unauthenticated RCE that gave ShinyHunters code execution on 100+ organizations before Oracle published any advisory. No permanent patch exists as of June 12, 2026. The attack requires only network access to an internet-facing PSEMHUB endpoint. Three actions before Monday: block /PSEMHUB/* and /PSIGW/HttpListeningConnector at your perimeter firewall, apply Oracle's emergency mitigation via My Support, and hunt WebLogic logs for external POST activity to vulnerable paths dated May 27 or later.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-35273?
CVE-2026-35273 is a CVSS 9.8 critical remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, specifically the Environment Management Hub (PSEMHUB) component. The flaw allows unauthenticated attackers to execute arbitrary code on any PeopleSoft server with an internet-accessible PSEMHUB endpoint by sending a crafted HTTP POST request, requiring no credentials, no user interaction, and no privileged network position.
Is Oracle PeopleSoft CVE-2026-35273 patched?
As of June 12, 2026, Oracle has not released a permanent patch for CVE-2026-35273. Oracle published an emergency advisory on June 10, 2026, with mitigation guidance available through the Oracle My Support portal for PeopleTools versions 8.61 and 8.62 under Premier or Extended Support. Organizations on unsupported PeopleTools versions receive no mitigation package and must rely entirely on network controls to block PSEMHUB access.
How does ShinyHunters exploit the Oracle PeopleSoft PSEMHUB vulnerability?
ShinyHunters exploits CVE-2026-35273 by sending an unauthenticated HTTP POST request to /PSEMHUB/hub, triggering XML deserialization of attacker-controlled input via Java's XMLDecoder. This enables arbitrary Java object instantiation and code execution in the PeopleSoft JVM. After initial access, the group deploys MeshCentral agents disguised as Microsoft Azure binaries, establishes C2 via azurenetfiles.net, and conducts SSH-based lateral movement by parsing /etc/hosts entries to reach other PeopleSoft-related systems.
What data was stolen in the Oracle PeopleSoft zero-day breach?
University of Nottingham, the only confirmed victim to publicly disclose, reported approximately 40 gigabytes of stolen data including 455,000 unique email addresses with full names, postal addresses, telephone numbers, passport numbers, ethnicity, and disability status. Staff salary data was also reported. PeopleSoft's integrated ERP design means a single breached instance can yield HR records, student financial data, research grant information, and administrative credentials simultaneously.
How do I check if my PeopleSoft instance is vulnerable to CVE-2026-35273?
Check whether your PeopleSoft deployment runs PeopleTools 8.61 or 8.62 and whether /PSEMHUB/hub or /PSIGW/HttpListeningConnector is reachable from external networks. Review WAF logs or run an external port scan to determine if those paths receive traffic from untrusted IP ranges. If you run an unsupported PeopleTools version, assume vulnerability and isolate PSEMHUB at the network perimeter immediately regardless of patching eligibility.
What are the IOCs for the Oracle PeopleSoft ShinyHunters attack?
Published IOCs include the IP range 142.11.200.186 through 142.11.200.190, standalone IPs 108.174.202.99 and 176.120.22.24, and the C2 domain azurenetfiles.net. Filesystem indicators include unexpected .jsp files in PSEMHUB.war, recently modified .xml configuration files in PSEMHUB paths, README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT files, and MeshCentral binaries with Azure-mimicking names. Outbound SMB traffic on port 445 from PeopleSoft hosts to external IPs also indicates lateral movement.
How do I mitigate CVE-2026-35273 without a permanent patch?
Block all external HTTP and HTTPS access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at your perimeter firewall or WAF. This eliminates the attack surface because the vulnerability requires network reachability to execute. Then apply Oracle's emergency advisory from My Support, block azurenetfiles.net at your DNS firewall, add ShinyHunters infrastructure IPs to your blocklist, and review WebLogic logs for POST requests to vulnerable paths dated May 27 or later.
Which sectors does ShinyHunters target in 2026?
ShinyHunters targeted higher education in 68 percent of the PeopleSoft zero-day campaign, primarily US universities using PeopleSoft for student records, HR, and financial aid. In prior 2026 operations, the group attacked telecom companies including Charter Communications, SaaS platforms including Canvas LMS and Salesforce-connected systems, and healthcare organizations. The group selects targets based on data richness rather than sector, making any organization holding high-value personal data in internet-accessible systems a candidate.
Sources & references
- Oracle Security Alert Advisory CVE-2026-35273
- BleepingComputer: Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
- The Hacker News: ShinyHunters Exploits Oracle PeopleSoft Zero-Day CVE-2026-35273
- SecurityWeek: Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
- Rapid7: Critical Check Point VPN Zero-Day Exploited in the Wild
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
