Nissan Payroll Breach via Oracle PeopleSoft Zero-Day CVE-2026-35273

Nissan Americas filed a notification with the California Attorney General on June 27, 2026, confirming that employee personal data was exposed between May 27 and June 9. The intrusion exploited CVE-2026-35273, a zero-day vulnerability in Oracle PeopleSoft PeopleTools carrying a CVSS 9.8 score, amid a campaign that hit more than 100 organizations and roughly 300 PeopleSoft instances globally. This case marks a turning point: the HR system of one of the world's largest automakers became the vehicle for industrial-scale identity theft, exposing data that cannot be revoked like a password.

The Mechanism: An Unauthenticated HTTP Endpoint Becomes a Master Key

According to the official CVE record published by NVD, CVE-2026-35273 resides in a missing authentication check in the PeopleSoft PeopleTools Environment Management Hub (EMHub). The component, designed for centralized management of PeopleSoft environments, exposes an HTTP endpoint reachable from the network without authentication prerequisites. The absence of identification control, classified as CWE-306, allows a remote attacker to execute arbitrary code with privileges equivalent to the application service.

Rescana's technical advisory details that affected versions are Oracle PeopleTools 8.61 and 8.62. The attack vector is entirely network-based: the CVSS 3.1 vector reports network access, low attack complexity, no privileges required, no user interaction needed, with total impact on confidentiality, integrity, and availability. This configuration makes the vulnerability exploitable in an automated fashion at scale.

Mandiant/Google verified that threat actors chained CVE-2026-35273 with older, already-patched Oracle vulnerabilities to escalate privileges and bypass network segmentation, establishing persistent access via web shells. The sequence confirms an operational model not of isolated exploit, but of a structured chain for deep penetration into ERP systems.

The Nissan Timeline: When the Vendor Calls It a "Cyber Event" and the FAQ Says "Unknown"

Converging sources — the California AG filing reported by Gadget Review and the employee notification seen by The Register — trace a precise timeline. Malicious activity in Nissan's systems occurred between May 27 and June 9, 2026. Oracle notified Nissan of "a cyber event involving the personnel records of hundreds of companies," according to the legal filing text cited by The Register. Nissan then began individual employee notifications.

However, a significant internal dissonance emerges. The employee FAQ, quoted verbatim by The Register, attributes the incident to "an unknown vulnerability in Oracle's PeopleSoft software" — an unknown vulnerability — weeks after the CVE's public disclosure and Oracle's advisory. Read through a regulatory compliance lens, this phrasing raises questions about the speed of threat intelligence propagation between vendor and enterprise customers, despite the case's critical severity.

Declared exposed data includes: national identification numbers including SSNs and Canadian SINs; contact information; banking data; financial and tax records; details on employees and dependents. The impact geography spans four countries — United States, Canada, Mexico, and Brazil — indicating the compromised PeopleSoft environment managed transnational payroll.

ShinyHunters and the Global Campaign: Over 100 Organizations, One Operational Signature

Mandiant/Google Threat Intelligence confirmed attribution of the zero-day exploitation to the UNC6240 activity cluster, associated with the ShinyHunters group. The official statement reports that "the activity is consistent with the exploitation of CVE-2026-35273" and that "this activity predates Oracle's June 10, 2026 advisory: the vulnerability was exploited as a zero-day." The verb is indicative, not conditional: this is technical confirmation, not hypothetical correlation.

The campaign's scope is quantified in convergent but non-identical terms across sources. Mandiant/Google notified over 100 potentially affected organizations. Gadget Review, citing field data, reports roughly 300 compromised PeopleSoft instances globally. These numbers, though derived from different methodologies — intelligence notifications versus technical detections — indicate an extended attack surface across the mid-to-large enterprise fabric.

The National Association of Insurance Commissioners (NAIC) was confirmed as a victim in the same campaign by SecurityWeek, though the group partially retracted its claims on data volumes. Rescana mentions Cl0p involvement; however, this assertion finds no corroboration in available primary sources and remains uncorroborated.

Immediate Actions

Verify patch status on PeopleTools 8.61 and 8.62. Oracle's June 10, 2026 advisory made the fix available; internet-exposed instances must be prioritized for application, with the CISA KEV deadline at June 15.

Isolate or restrict access to the Environment Management Hub. If immediate patching is not feasible, restricting EMHub to segmented networks or VPN access is the mitigation indicated by technical sources.

Review for web shells and persistent access. The attack chain documented by Mandiant involves post-exploitation web shell installation; patching alone without verification of prior compromise leaves residual actor access.

Nissan employees: monitor credit and identity. The company communicated the provision of credit monitoring and dark web surveillance services; activation of these services is recommended given the irreversibility of Social Security number exposure.

"the activity is consistent with the exploitation of CVE-2026-35273... this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day" — Mandiant/Google Threat Intelligence

Why the Nissan FAQ Still Says "Unknown": A Systemic Signal

The persistence of the "unknown vulnerability" phrasing in Nissan's internal materials, weeks after the CVE publication and CISA catalog inclusion, is not an isolated anomaly. It reflects structural latency in translating threat intelligence into operational language for non-technical staff communication. More significantly, it indicates that the gap between technical disclosure and organizational risk perception remains measurable in week-long cycles, even for companies with established institutional response capabilities.

The incident places HR ERP systems in a distinct risk category from traditional ransomware targets. Payroll databases contain data with decade-long utility — non-rotatable SSNs, tax records with value for long-term fraud — that transcend the immediate impact model typical of file encryption. The absence of a revocation mechanism for this class of information makes exposure definitive for affected individuals, regardless of subsequent containment measures adopted by the organization.

For enterprises maintaining exposed PeopleSoft instances, the Mandiant-documented campaign serves as a reference point: zero-day exploitation is not hypothetical but verified, the attack surface is identified, and the federal deadline has passed or is imminent. The margin for preventive action has narrowed to an interval measured in days.

Information verified against cited sources and current as of publication.

Sources

• https://www.securityweek.com/insurance-regulators-group-naic-hit-in-oracle-peoplesoft-hack/
• https://www.gadgetreview.com/nissan-oracle-peoplesoft-breach-exposed-employee-ssns-and-payroll-data
• https://www.theregister.com/security/2026/06/29/nissan-says-oracle-peoplesoft-break-in-may-have-spilled-payroll-records-ssns/5263534
• https://www.rescana.com/post/oracle-peoplesoft-peopletools-zero-day-cve-2026-35273-actively-exploited-urgent-patch-required-to-prevent-ransomware-and
• https://nvd.nist.gov/vuln/detail/cve-2026-35273
• https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/