Oracle PeopleSoft CVE-2026-35273 ShinyHunters exploitation

Summary

CVE-2026-35273 is a critical unauthenticated remote-code-execution vulnerability in Oracle PeopleSoft PeopleTools. Google Mandiant and Google Threat Intelligence Group reported active exploitation by UNC6240 / ShinyHunters against Oracle PeopleSoft application infrastructure between 2026-05-27 and 2026-06-09, before Oracle published its 2026-06-10 advisory. Mandiant assessed the activity as zero-day exploitation aligned to exposed Environment Management Hub (PSEMHUB) endpoints.

The campaign matters because it combines internet-facing enterprise application RCE, higher-education concentration, attacker-operated remote-management staging, lateral movement from PeopleSoft systems, and public extortion through the ShinyHunters data-leak site.

Tags

• ops
• operations
• Oracle PeopleSoft
• PeopleTools
• CVE-2026-35273
• PSEMHUB
• Environment Management Hub
• unauthenticated RCE
• zero-day
• active exploitation
• UNC6240
• ShinyHunters
• higher education
• extortion
• MeshCentral
• WebLogic
• JSP web shell
• SMB egress
• data leak site

Why this matters

• Oracle says CVE-2026-35273 is remotely exploitable without authentication and may result in remote code execution.
• Mandiant observed exploitation before Oracle's advisory, making patch timing and exposure reduction urgent for defenders that operated PeopleSoft during the late-May / early-June window.
• GTIG notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints; Mandiant said 68% were higher-education institutions.
• The actor used attacker staging servers with exposed Python SimpleHTTP directories, customized MeshCentral agents, and command history that revealed PeopleSoft reconnaissance, lateral-movement preparation, and links to the ShinyHunters data-leak site.
• Public victim data appeared on the ShinyHunters DLS on 2026-06-09, tying technical exploitation to extortion impact rather than scanner-only activity.

Operational characteristics

• Affected product: Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, with Oracle noting that PeopleSoft Enterprise Applications customers may also be affected.
• Exploitation window: Mandiant reports observed activity from 2026-05-27 through 2026-06-09.
• Entry point: activity aligned with targeting of PeopleSoft Environment Management Hub (PSEMHUB) endpoints, including POST /PSEMHUB/hub; Mandiant also highlights /PSIGW/HttpListeningConnector as a sensitive externally exposed endpoint to restrict and audit.
• Staging infrastructure: public reports led GTIG to five sequential attacker IPs: 142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, and 142.11.200.190, each hosting Python SimpleHTTP servers on port 8888 with staging material and command history.
• Remote management: exposed history showed MeshCentral 1.1.59 installation and use of meshctrl.js; the actor used acme-client for Let's Encrypt certificate automation for azurenetfiles.net.
• Reconnaissance: commands inspected PeopleSoft mount points, psappsrv.cfg, and WebLogic config.xml to map PeopleSoft application and process-scheduler environments.
• Lateral movement / extortion staging: Mandiant describes customized MeshCentral agents and a victim-specific [victim_abbreviation]_fanout.sh script that copied README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories.
• Leak-site connection: Mandiant reports the staging command history ended with outbound SSH to 176.120.22.24, an IP hosting the public clearnet mirror of the ShinyHunters DLS.

Defender heuristics

• Apply Oracle's CVE-2026-35273 security alert mitigations and patches for supported PeopleTools versions immediately.
• Disable the Environment Management Hub service in multi-server configurations, or remove the PSEMHUB application in single-server configurations, following Oracle's advisory guidance as summarized by Mandiant.
• If EMHub cannot be disabled, block external access to /PSEMHUB/*, especially /PSEMHUB/hub, and /PSIGW/HttpListeningConnector at the perimeter. Mandiant cautions that WAF body-inspection rules alone are insufficient.
• Audit PIA WebLogic access logs for external or untrusted POST /PSEMHUB/hub and POST /PSIGW/HttpListeningConnector requests.
• Inspect <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ for unexpected .jsp files that are not part of the shipped product.
• Review PSEMHUB.war/envmetadata/transactions/ plus unexpected logs, persistantstorage, or scratchpad directories under PSEMHUB paths for staged files or binary drops.
• Monitor PeopleSoft hosts for outbound SMB (TCP/445) to untrusted internet destinations; Mandiant notes the exploit chain may coerce outbound SMB to capture Windows machine-account NetNTLM hashes.
• Hunt for MeshCentral artifacts, meshctrl.js execution, Let's Encrypt automation for suspicious cloud-themed domains, and extortion marker files in WebLogic or Process Scheduler directories.
• Treat exposed or exploited PeopleSoft systems as potential enterprise footholds: preserve WebLogic logs, web-tier filesystem evidence, process scheduler configs, outbound flow logs, endpoint telemetry, and any staged scripts before remediation.

Attribution notes

• Google Mandiant / GTIG attribute the campaign to UNC6240 (ShinyHunters).
• Keep the technical exploitation chain separate from broader ShinyHunters ecosystem claims unless supported by primary reporting.

Related pages

• ShinyHunters
• KnowledgeDeliver CVE-2026-5426 ViewState exploitation
• ServiceNow instance unauthenticated table-query exploitation
• BlackFile / UNC6671 vishing extortion operation

Sources

• Google Cloud / Mandiant: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
• Oracle security alert for CVE-2026-35273: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
• The Hacker News summary: https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html