Between May 27 and June 9, 2026, the extortion group ShinyHunters exploited the zero-day vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools to compromise more than 100 organizations, 68% of which are U.S. higher-education institutions. Oracle released the advisory and patch on June 10; CISA added the CVE to the KEV catalog on June 12 with a binding June 15 deadline for federal agencies. The case shows how an internal management component — technically unnecessary for user sessions — became the vector for one of 2026's most invasive campaigns against the academic sector.
- CVE-2026-35273 carries CVSS 9.8: missing authentication on EMHub HTTP endpoints enables unauthenticated remote code execution with no credentials or user interaction, per the NVD record and joint Mandiant/Google Threat Intelligence Group analysis.
- ShinyHunters disguised its MeshCentral C2 as an Azure service (agents renamed meshagent64-azure-ops.exe and meshagent32-azure-ops.exe), routing WebSocket Secure traffic over azurenetfiles.net:443.
- The attackers' staging servers, accidentally exposed on five consecutive IPs (142.11.200.186-190) running Python SimpleHTTPServer on port 8888, allowed researchers to reconstruct the attack chain and identify custom credential-spraying scripts and extortion markers.
- The University of Nottingham confirmed compromise with loss of "a significant amount of data" from its student system; Have I Been Pwned verified roughly 455,000 unique email addresses, including passport numbers, disability status, and ethnicity.
How the Flaw Works: Missing Auth in an "Invisible" Backend
The vulnerability resides in the Environment Management Hub (EMHub, component PSEMHUB), a backend service that tracks and manages agents across PeopleSoft environments. According to joint Mandiant and GTIG research cited by Dark Reading, the HTTP endpoints /PSEMHUB/hub and /PSIGW/HttpListeningConnector perform no authentication check, allowing a remote attacker to execute arbitrary code with a crafted POST request. The NVD record classifies the weakness as CWE-306 and assigns the CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H with a base score of 9.8.
The architectural paradox is central: EMHub is not required for user browser sessions in the PeopleSoft Internet Architecture. It is an internal management interface, often exposed to the internet for administrative convenience or due to legacy network configurations, that becomes an invisible attack surface. Confirmed vulnerable versions are PeopleTools 8.61 and 8.62; Oracle notes that earlier unsupported versions are likely affected as well.
The Operational Chain: From Azure Spoofing to Extortion with Markers
After initial access, ShinyHunters deployed MeshCentral agents — a legitimate open-source remote management tool — with filenames deliberately crafted to blend in with Microsoft processes. GBHackers documents the SHA-256 hashes of the payloads: f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc for the 64-bit executable and c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f for the 32-bit version. The command-and-control domain, azurenetfiles.net, served WebSocket Secure connections on port 443.
The next move exploited the attackers' own operational error: staging directories left accessible on the internet, hosted on five consecutive IPs 142.11.200.186-190 running Python SimpleHTTP on port 8888. From this exposure, researchers extracted lateral-movement scripts such as [victim]_fanout.sh, designed for credential spraying via SSH, and the marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT, a distinctive signal of the extortion phase. Exfiltration used zstd compression to 176.120.22.24, an address associated with ShinyHunters' public leak site.
"In several instances we have identified web application firewalls (WAFs) protecting otherwise vulnerable organizations. These are not durable protections and we recommend following Oracle's mitigations guidance as soon as possible." — Mandiant and GTIG, via Dark Reading
Academic Sector Under Fire: Notifications, Confirmations, and Non-Rotatable Data
Mandiant and GTIG notified more than 100 organizations; 68% are higher-education institutions, predominantly in the United States. ShinyHunters claims 300+ compromised PeopleSoft instances overall, but the ratio between proactive notifications and publicly confirmed breaches is not quantified in public reports.
The University of Nottingham publicly acknowledged compromise of its student record system, affecting current students and alumni. The Hacker News, via Have I Been Pwned, verified roughly 455,000 unique email addresses in the stolen dataset. Exposed fields include names, addresses, phone numbers, passport numbers, ethnicity, and disability status — categories of data that admit no post-breach mitigation such as credential rotation. The persistent risk of identity theft and discrimination for affected students extends over yearly horizons, not weeks.
Immediate Actions
The actions documented in primary sources are four and immediate:
- Apply the patch released by Oracle on June 10, 2026 for supported versions of PeopleTools 8.61 and 8.62, verifying official availability for your environment.
- Disable the EMHub service where not strictly necessary, and block external access to the /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints, as recommended by Oracle and cited by Mandiant/GTIG.
- Remove reliance on Web Application Firewalls as the sole barrier for this vulnerability, given the researchers' explicit judgment on the non-durability of such protection against this specific vector.
- For federal or federal-adjacent organizations, meet the BOD 26-04 deadline set by CISA for June 15, 2026 for mandatory remediation.
ShinyHunters' Operational Leap: From Cloud Misconfiguration to Server-Side Zero-Day
The campaign marks an inflection in the group's modus operandi. Until 2026, ShinyHunters was primarily associated with cloud misconfiguration and exposed database compromises. The use of a server-side zero-day in an enterprise ERP, with custom tooling developed for persistence and lateral movement, indicates an escalation in technical capability and operational planning. No infrastructure overlaps linking this actor to nation-state groups emerge in the dossier, but the provenance of the zero-day — internally developed or acquired — remains undetermined.
The choice of the education sector is no accident for data profile: institutions hold dense personal records, with sensitive demographic data and histories of former students, expanding the window of value for extortion. As of June 14, 2026, with the CISA deadline looming, operational pressure on university security teams is at its peak — and the question of why EMHub was internet-reachable at so many institutions remains open, more administrative than technical.
Information verified against cited sources and current as of publication.
Sources
- https://www.darkreading.com/vulnerabilities-threats/shinyhunters-oracle-zero-day-higher-ed
- https://www.rescana.com/post/shinyhunters-exploits-oracle-peoplesoft-zero-day-cve-2026-35273-in-widespread-higher-education-cyberattack
- https://gbhackers.com/oracle-peoplesoft-zero-day-rce-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2026-35273
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273
- https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
- https://www.darkreading.com/cyberattacks-data-breaches/shinyhunters-second-attack-instructure