ShinyHunters had 13 days inside PeopleSoft before Oracle said anything

On June 9, 2026, ShinyHunters published stolen data from dozens of universities on their extortion leak site. On June 10, Oracle published the security advisory.

The order matters. The breach came first.

CVE-2026-35273 is an unauthenticated remote code execution vulnerability (CVSS 9.8) in the Environment Management Hub (PSEMHUB) component of Oracle PeopleSoft PeopleTools 8.61 and 8.62. ShinyHunters, tracked by Mandiant as UNC6240, began exploiting it as a zero-day on May 27. By the time Oracle’s advisory appeared, over 100 organizations had been breached across roughly 300 compromised instances. Sixty-eight percent were universities and colleges. The University of Nottingham confirmed approximately 455,000 records exposed: names, addresses, phone numbers, passport numbers, and records on ethnicity and disabilities. CISA added the CVE to the Known Exploited Vulnerabilities catalog on June 12 with a federal deadline of June 15.

What was exposed and why

PSEMHUB is PeopleTools’ Environment Management Hub, a web component that handles environment configuration and software update management. It lives at /PSEMHUB/hub and exposes a second endpoint at /PSIGW/HttpListeningConnector. Both accept unauthenticated HTTP requests. Neither is designed to be internet-facing, but in practice many PeopleSoft deployments expose WebLogic without isolating internal management components from external networks.

The vulnerability is a server-side request forgery that escalates to code execution, per Rapid7’s analysis. An attacker sends a crafted request to the PSEMHUB endpoint. WebLogic processes it before authentication is enforced. Code runs as the WebLogic service account. No credentials required. No user interaction. The CVSS 9.8 is accurate.

Affected versions are PeopleTools 8.61 and 8.62. Older unsupported versions are almost certainly also affected but have no patch path.

What the attack looked like

ShinyHunters established staging infrastructure on May 27, hosting MeshCentral remote management agents at IP addresses 142.11.200.186 through .190. After gaining initial execution via PSEMHUB, they deployed MeshCentral agents configured to phone home via WebSocket to azurenetfiles.net, a domain they registered to masquerade as Microsoft Azure NetApp Files.

From there: reconnaissance against psappsrv.cfg configuration files to map the PeopleSoft topology (web tier, application tier, batch tier), SSH credential spraying for lateral movement, and data exfiltration using Zstandard compression. At multi-tier university environments, they moved from the web server to application and batch servers. As they went, they dropped ransom notes titled README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic application directories.

The entire window from first exploitation to the data leak publication was 13 days.

What to look for

If you run PeopleTools 8.61 or 8.62 and PSEMHUB was reachable from any external or untrusted network between May 27 and June 9, patching alone is not enough. You have a compromise window to investigate.

WebLogic access logs. Hunt for POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector from external source IP addresses. Any matches require investigation.

The defacement marker. ShinyHunters dropped README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in WebLogic directories under <PS_CFG_HOME>/webserv/<domain>/. If that file exists, the server was compromised.

Unexpected JSP files. Check <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ for JSP files you didn’t deploy. Webshells land here.

Outbound SMB traffic. The exploit can force the system to initiate an outbound SMB connection to attacker infrastructure, used to capture NetNTLM hashes. If you have firewall or NetFlow logs covering the window, look for outbound TCP 445 from PeopleSoft servers to external IPs.

DNS and firewall logs. MeshCentral agents connected to azurenetfiles.net on port 443. If that domain appears in DNS query logs during May 27-June 9, an agent was running.

What to do now

Apply Oracle’s patch. The out-of-band security alert was published June 10. Access to the actual patch download requires a valid Oracle Support account; the advisory at oracle.com/security-alerts/alert-cve-2026-35273.html links to the patch availability document. If your PeopleSoft environment is on an unsupported PeopleTools version, there is no patch. The options are upgrade or network isolation.

Disable PSEMHUB or block it at the perimeter. In multi-server deployments, disable the Environment Management Hub Service through the PeopleSoft administration console. In single-server deployments, remove the PSEMHUB application entirely. If neither is immediately possible, block /PSEMHUB/* and /PSIGW/HttpListeningConnector at the firewall or WAF. Rapid7 notes that body-inspection rules alone are insufficient; block the path at the network layer.

Investigate before closing the ticket. If PSEMHUB was reachable during the exploitation window, engage incident response. MeshCentral agents and any persistence mechanisms installed by ShinyHunters do not disappear when you patch the initial access vector. The indicators above are where to start.

The federal deadline under BOD 22-01 was June 15. That window has already closed for FCEB agencies. For private organizations, the relevant question is whether your internal SLA for a CVSS 9.8 actively exploited KEV vulnerability has a defined remediation window and whether you’re inside it.

This is also Oracle’s second major zero-day exploitation campaign this quarter. Cl0p hit Oracle E-Business Suite (CVE-2025-61884) in April, with a similar pattern: mass exploitation before the advisory, higher education and critical infrastructure disproportionately affected. The PeopleSoft campaign follows the same playbook against the same sector with a different threat actor. If your organization runs both products, both deserve a look.

PatchDayAlert covers KEV additions like this in the daily digest when they arrive. That’s what the newsletter is for: the signal that needs to move before Tuesday’s change board, not after.