// 2 ZERO-DAY · 5 CVE · 3 EXPLOIT · 1 ADVISORY IN THE LAST 24H
Nissan Americas confirmed that attackers exploited CVE-2026-35273, a zero-day vulnerability in Oracle PeopleSoft PeopleTools, to steal personal and financial data of current and former employees in the U.S., Canada, Mexico, and Brazil during a 14-day window in May and June 2026.

Nissan Americas filed a breach notification with the California Attorney General on June 25, 2026. The company confirmed that attackers exploited a zero-day vulnerability in Oracle PeopleSoft PeopleTools to exfiltrate personal and financial workforce data. The attack window, spanning May 27 to June 9, was validated by Mandiant's technical analysis. Over those fourteen days, the criminals accessed tax records, banking details, and social security numbers of employees and former employees in the United States, Canada, Mexico, and Brazil.

This analysis is based on converging editorial sources; no direct Oracle advisory or CISA alert is available.

Key Takeaways
  • CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft PeopleTools that allows unauthenticated remote code execution.
  • The ShinyHunters group claimed compromise of over 300 instances across more than 100 organizations, with Nissan as a specific target.
  • Nissan restricted pay stub access to the corporate network and VPN, added identity verification for payroll change requests, and offered dark web monitoring and credit protection.
  • Oracle released emergency mitigation measures on June 10, 2026, after compromissions had begun.

Attack Mechanism: From PeopleSoft Flaw to HR Access

According to Rescana's analysis, the vulnerability resides in the Updates Environment Management component of Oracle PeopleSoft PeopleTools. The flaw allows an unauthenticated attacker to achieve remote code execution via the /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints. Rescana notes that these technical details may include inferred elements not independently verified.

Once initial access was established, attackers deployed MeshCentral agents disguised as Microsoft Azure services to maintain persistence. According to Rescana, no custom malware has been identified in public documentation; persistence relied on legitimate remote administration tools repurposed for offensive use.

MITRE ATT&CK Mapping and Reconstruction Limits

Rescana's analysis provides a MITRE ATT&CK mapping that places the operation in an enterprise supply-chain attack framework: initial access via vulnerability exploitation, remote code execution, persistence via legitimate remote access tools, and subsequent data exfiltration from HR and payroll databases.

The source does not specify whether attackers achieved lateral movement beyond the PeopleSoft perimeter. The exact number of affected Nissan employees has not been disclosed. No specific indicators of compromise—such as IP addresses, domains, or file hashes—are documented.

Nissan: Notification and Reactive Measures

In its communication to the California Attorney General, cited by BleepingComputer, Nissan acknowledged it was "specifically targeted in this attack." The notification lists the compromised data categories: contact information, banking details, U.S. Social Security Numbers (SSN), Canadian Social Insurance Numbers (SIN), national identification numbers, tax and financial records, and employee and beneficiary data.

Nissan restricted pay stub access to the corporate network and VPN. It introduced identity verification for payroll data change requests. It is offering dark web monitoring and credit protection services. The Register highlighted that these measures, while necessary, come after data exfiltration.

"Patching the flaw does nothing for data already taken during the exploitation window" — Simon Pamplin, CTO at Certes, in Infosecurity Magazine

Victim Ecosystem and ShinyHunters' Role

ShinyHunters claimed compromise of over 300 PeopleSoft instances across more than 100 organizations. According to BleepingComputer, which confirmed Mandiant's analysis, the group stated that the majority of victims are universities. Nissan is among the confirmed corporate targets.

Mandiant notified over 100 organizations. Oracle released emergency mitigations on June 10, 2026. It is unclear from sources whether Nissan's investigation is concluded or ongoing.

Immediate Actions

Organizations with exposed Oracle PeopleSoft PeopleTools instances must verify application of Oracle's June 10, 2026 mitigations. They must audit access logs for the /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints for the period May 27–June 9, 2026. They must also hunt for MeshCentral agents masquerading as Azure services as a persistence indicator.

Nissan employees in the four affected countries should activate the company-offered dark web monitoring and credit protection. They must promptly dispute suspicious bank account activity and report fraudulent use of social security numbers to the relevant authorities. Identity verification for payroll requests is now mandatory at Nissan: employees must refuse unsolicited payroll changes that do not follow this channel.

Editorial Close

The Nissan case illustrates the structural vulnerability of enterprise HR platforms when they become attack vectors. Outsourcing payroll functions to a software vendor does not absolve the data controller of ultimate responsibility. The absence of a direct Oracle advisory and a CISA alert leaves organizations interpreting signals from editorial sources and third-party analyses.

The hard fact is that social security and banking data of employees in four countries were exposed for fourteen days before any mitigation arrived. The consequences of that window depend on unquantifiable factors: the exact volume of data, the speed of monetization by ShinyHunters, the effectiveness of post-breach monitoring. What remains measurable is the systemic lag between technical compromise and public disclosure—a lag that, on June 25, 2026, found Nissan filing notifications, not preventing damage.

Sources: Infosecurity Magazine; The Register; BleepingComputer; Rescana; Security Boulevard

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. infosecurity-magazine.com
  2. theregister.com
  3. bleepingcomputer.com
  4. rescana.com
  5. securityboulevard.com
  6. deals.bleepingcomputer.com