DeafNews
// 1 CRITICAL · 1 ZERO-DAY · 2 CVE · 4 EXPLOIT IN THE LAST 24H
Cybersecurity ZERO-DAY

Oracle PeopleSoft Zero-Day: ShinyHunters Targets Higher Education

Published: Updated: By DeafSuite team 7 min read Cybersecurity
Share
WhatsApp Facebook X (Twitter) LinkedIn Reddit Telegram Email
CVE-2026-35273, a CVSS 9.8 unauthenticated RCE, has been exploited by ShinyHunters since May 27. Over 100 universities hit; MeshCentral implants and SSH spraying drive the attack chain.
ShinyHunters has conducted a large-scale campaign against Oracle PeopleSoft platforms in the higher education sector, exploiting the zero-day CVE-2026-35273 since at least May 27, 2026 — two weeks before Oracle's June 10 patch. The attack marks a shift in the group's operational profile, previously known mainly for low-complexity, identity-centric tactics: credential stuffing, phishing, and OAuth token abuse. The novelty is not the initial access vector, but the convergence of server-side vulnerability exploitation in on-premises ERP systems with post-exploitation that leverages legitimate identities for lateral movement.
Key Takeaways
  • CVE-2026-35273 is an unauthenticated RCE in Oracle PeopleSoft PeopleTools with a CVSS 9.8 score; CISA added it to the KEV catalog on June 12, 2026, with a June 15, 2026 remediation deadline
  • Mandiant and Google Threat Intelligence Group notified over 100 organizations, 68% in higher education, identifying the UNC6240 cluster
  • Attackers deployed MeshCentral agents disguised as Azure services, with C2 hardcoded to azurenetfiles.net, for persistent access to compromised servers
  • A fanout.sh script automated SSH credential spraying on internal hosts, enabling lateral movement via hardcoded credentials extracted from victim systems

The Attack Chain: From PeopleSoft to the Data Leak Site

The timeline reconstructed by Google Threat Intelligence Group (GTIG) and Mandiant shows a methodical progression. The first MeshCentral C2 server deployment was observed at 22:14 UTC on May 27, 2026. Operators exploited CVE-2026-35273 to achieve remote code execution on internet-exposed Oracle PeopleSoft instances, specifically PeopleTools 8.61 and 8.62, with Oracle indicating that earlier, unsupported versions are presumably vulnerable. Post-exploitation followed a repeated pattern: deployment of 32-bit and 64-bit MeshCentral binary agents, renamed "meshagent32-azure-ops.exe" and "meshagent64-azure-ops.exe" respectively, with a hardcoded connection to the domain azurenetfiles.net over WebSocket (wss://azurenetfiles.net:443/agent.ashx). Disguising the open-source remote management tool as an Azure component reduces visibility in environments already using Microsoft services. Persistence was accompanied by a lateral movement mechanism documented in the .bash_history logs of compromised servers. Attackers wrote and executed scripts named with the pattern [victim_abbreviation]_fanout.sh, which parsed /etc/hosts and performed SSH credential spraying via sshpass using hardcoded credentials. Technical analysis from Rescana and the GTIG report converge on this methodology, indicating an identity-driven approach even after initial access via software vulnerability. Exfiltrated data was published on ShinyHunters' Data Leak Site on June 9, 2026, one day before the Oracle advisory. The University of Nottingham confirmed the breach, with approximately 455,000 unique emails exposed according to Have I Been Pwned monitoring cited by The Hacker News. The figure is partial: no aggregate numbers emerge for other victims, and the dossier does not specify the full nature of stolen data beyond contact identifiers.

Why Identity Has Become the Battleground

The PeopleSoft campaign fits a broader pattern that SecurityWeek has documented as characteristic of ShinyHunters: "stolen credentials, compromised OAuth tokens, social engineering, vishing, and abuse of legitimate access privileges." The source notes that "attackers do not necessarily need malware or zero-day exploits" — an observation that makes the exploitation of CVE-2026-35273 a significant exception rather than the norm. The technical reading is that the group is maturing. On-premises ERP targets, traditionally considered outside the focus of financially motivated cybercriminals, offer access to rich datasets with an architecture often less monitored than cloud-native environments. The shift from "log in" to "break in," to use SecurityWeek's phrasing, does not abandon identity as a primary vector: it integrates it with initial access via software vulnerability, then exploits identities and trust relationships to expand the compromise. The fanout script mechanism is exemplary: it is not a zero-day vulnerability, but the abuse of valid credentials already present in systems. Traditional network segmentation fails when the attacker moves with SSH keys or passwords stored in configuration files, and when the first hop is an ERP server connected to directory services and student databases.
"A server-side zero-day in on-premises ERP software is a step up from that, aimed at the same data-rich targets"

What Makes the PeopleSoft Zero-Day Critical

CVE-2026-35273 received a CVSS 9.8 score from the National Vulnerability Database, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The configuration indicates a network-exploitable vulnerability requiring no authentication, with low attack complexity and total impact on confidentiality, integrity, and availability. Affected versions are PeopleTools 8.61 and 8.62; Oracle states that earlier unsupported versions are presumably vulnerable. Criticality is amplified by the nature of the target software. PeopleSoft is a core ERP for financial management, human resources, and student registration at hundreds of higher education institutions. Its internet exposure, often necessary for student portals and remote staff access, creates an attack surface that traditional perimeter defenses do not adequately cover when the vulnerability resides in the application code itself. CISA added the CVE to the Known Exploited Vulnerabilities catalog on June 12, 2026, requiring remediation by June 15, 2026 for U.S. federal agencies. The speed of KEV inclusion — two days after the advisory — reflects confirmation of active exploitation and the criticality of the affected sector.

Open Questions on ShinyHunters' Evolution

The dossier leaves strategic questions unresolved. The Hacker News reports Mandiant's formulation: "The open question is whether this was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation." The same source raises the issue of technical attribution: whether CVE-2026-35273 was developed or acquired directly by the group, or obtained via exploit supply chain or partnership with other operators. Attribution to UNC6240, Mandiant's tracking designator, does not fully resolve this uncertainty. UNC6240 is classified as an activity cluster, not necessarily identical to the entire ShinyHunters group. Operational overlap — use of the same Data Leak Site, same IoCs, same fanout methodology — supports the identification, but does not exclude affiliated or temporary structures. The discrepancy between the historical identity-centric pattern and the ERP zero-day exploitation suggests two alternative readings. First: ShinyHunters is acquiring APT-like capabilities, possibly through recruitment or exploit acquisition, in an increasingly competitive extortion market. Second: the group identified a specific opportunity in the education sector — legacy systems, limited security budgets, monetizable data — and invested resources in a one-off access vector. The dossier contains no elements to privilege either hypothesis.

Immediate Actions

Priority actions emerge directly from the documented facts. Institutions running Oracle PeopleSoft must verify the presence of affected versions — PeopleTools 8.61 and 8.62 — and consult the Oracle advisory of June 10, 2026, noting that full patch documentation requires an Oracle Support login. For unsupported versions, risk assessment is necessary even in the absence of an official patch. Monitoring must focus on documented indicators of compromise: MeshCentral binaries with the naming pattern "meshagent*-azure-ops.exe", outbound connections to azurenetfiles.net, and scripts with the naming pattern [abbreviation]_fanout.sh in temporary directories or service account home directories. The GTIG reconstruction indicates these artifacts are present in .bash_history logs and network connections. Verification of SSH credentials stored in configuration files and automated scripts is a priority to limit lateral movement via credential spraying. The fanout script analyzed by GTIG and Rescana actively extracts credentials from /etc/hosts and system files to replicate across internal hosts. Finally, higher education organizations must treat the CISA KEV priority as a signal of elevated risk: June 15, 2026 is the federal remediation deadline, and confirmed active exploitation indicates the vector is operational, not theoretical.

The documented evolution of ShinyHunters is not a transition from cybercrime to APT, but a hybridization that makes the distinction increasingly less operational for defenders. When a financially motivated group acquires or develops server-side zero-days and pairs them with mature identity-centric tactics, the security perimeter shifts definitively: no longer firewalls and vulnerability scanners, but identity, behavior, and trust relationships between systems that already legitimately communicate.

Information verified against cited sources and current as of publication.

Sources

Sources and references
  1. securityweek.com
  2. itsecuritynews.info
  3. esentire.com
  4. rescana.com
  5. govtech.com
  6. cybersecuritydive.com
  7. time.com
  8. nvd.nist.gov
  9. thehackernews.com
  10. cloud.google.com