• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

PeopleSoft Zero-Day: ShinyHunters Exploit CVE-2026-35273

June 17, 2026

Meta Description

PeopleSoft zero-day CVE-2026-35273 lets ShinyHunters hit servers without login. See how the RCE works, who is at risk, and how to patch and respond now.

Introduction

A critical PeopleSoft zero-day vulnerability has put more than 100 organizations at risk of full server takeover, and the financially motivated extortion group ShinyHunters got there weeks before anyone noticed. Oracle published an emergency advisory for CVE-2026-35273 on June 10, 2026, but Mandiant and Google Threat Intelligence Group confirmed the flaw had already been under active exploitation since May 27, 2026. That gap gave attackers nearly two full weeks of silent access before defenders even knew the vulnerability existed.

This PeopleSoft zero-day carries a CVSS score of 9.8, the highest severity rating possible, and it requires no authentication whatsoever. An attacker only needs network access to a vulnerable PeopleSoft Environment Management Hub endpoint to achieve full remote code execution. Higher education institutions bore the brunt of the campaign, accounting for 68 percent of all notified victims, but any organization running PeopleSoft PeopleTools 8.61 or 8.62 should treat this as an active, urgent risk.

Here is the complete technical breakdown of how this PeopleSoft zero-day works, who is behind it, and exactly what your security team needs to do right now.

What Is the PeopleSoft Zero-Day Vulnerability CVE-2026-35273

CVE-2026-35273 is a critical vulnerability in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. TrendAI's Zero Day Initiative reported the flaw to Oracle, and TrendAI classifies the underlying weakness as a server-side request forgery vulnerability, tracked under CWE-918.

Server-side request forgery flaws are dangerous because they exploit a trust relationship that most organizations overlook. Internal systems assume that requests originating from the application server itself are safe. This PeopleSoft zero-day hijacks that trust, turning the vulnerable server into a pivot point that an attacker can use to reach internal and external resources of their own choosing. In this case, that pivot leads directly to full remote code execution.

Key facts about the PeopleSoft zero-day:

  • Tracked as CVE-2026-35273 with a CVSS v3.1 score of 9.8
  • Remotely exploitable without any authentication
  • Classified as server-side request forgery (CWE-918) that escalates to RCE
  • Affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62
  • PeopleSoft Enterprise Applications customers may also be impacted
  • Added to the CISA Known Exploited Vulnerabilities catalog on June 12, 2026

Oracle released an out-of-band patch the same day it published its security alert, a clear signal of how seriously the company treated this disclosure.

How Mandiant and Google Discovered the PeopleSoft Zero-Day Campaign

Mandiant and the Google Threat Intelligence Group first identified suspicious activity targeting Oracle PeopleSoft infrastructure and traced it back to a coordinated campaign. Their investigation revealed that exploitation began weeks before Oracle's public disclosure.

Discovery and disclosure timeline:

  • May 27, 2026: Active exploitation of the PeopleSoft zero-day begins
  • June 9, 2026: Stolen data begins appearing on the ShinyHunters Data Leak Site
  • June 10, 2026: Oracle publishes an emergency out-of-band security alert
  • June 11, 2026: Mandiant publishes its full technical report confirming zero-day exploitation
  • June 12, 2026: CISA adds CVE-2026-35273 to its Known Exploited Vulnerabilities catalog

Scope of the campaign:

  • Google Threat Intelligence Group notified more than 100 global organizations
  • 68 percent of notified victims came from the higher education sector
  • Hackers claiming ShinyHunters affiliation told reporters they targeted 300 separate PeopleSoft instances
  • Attackers reportedly chained older vulnerabilities together with the new zero-day to maximize access

This PeopleSoft zero-day campaign stands out because Mandiant confirmed in-the-wild exploitation existed before any patch or advisory was available. Every victim organization had zero opportunity to defend against the initial wave of attacks.

The Full PeopleSoft Zero-Day Attack Chain Explained

Understanding exactly how this PeopleSoft zero-day works is essential for any security team running PeopleSoft infrastructure. Here is the complete technical breakdown of the attack chain.

Stage One: SSRF Exploitation Through Two PeopleSoft Endpoints

Mandiant's analysis identified two specific endpoints involved in exploitation of the PeopleSoft zero-day. Attackers send requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector to trigger the server-side request forgery condition.

Interestingly, the /PSIGW/HttpListeningConnector path has appeared before in PeopleSoft security history. The same URI path featured in a 2017 PeopleSoft exploit chain tied to CVE-2013-3821, and a related XML External Entity flaw tracked as CVE-2017-3548 targeted a different connector under the same /PSIGW/ directory structure. This PeopleSoft zero-day extends a pattern of risk in the same integration gateway component that has existed for nearly a decade.

TrendAI detection signatures confirm the SSRF classification:

  • IPS Rule 1012580: Oracle PeopleSoft PeopleTools SSRF Vulnerability
  • DDI Rule 5855: PeopleSoft PeopleTools Environment Management Hub SSRF Exploit

Stage Two: SSRF Escalates to Remote Code Execution

Once an attacker triggers the SSRF condition on the vulnerable endpoint, the PeopleSoft zero-day allows that initial access to escalate directly into remote code execution. The server-side request forgery functions as the delivery mechanism, while the actual code execution happens through additional exploitation steps on the PSEMHUB application.

A notable side effect of this exploit chain involves outbound SMB connections. The exploited server may be forced to initiate outbound connections on TCP port 445 to external destinations chosen by the attacker. This can allow an attacker to capture Windows machine-account NetNTLM hashes, opening up additional credential theft opportunities beyond the initial compromise.

Stage Three: Post-Exploitation Tooling Disguised as Microsoft Azure

After gaining code execution, the threat actor behind this PeopleSoft zero-day campaign deployed MeshCentral remote management agents on compromised systems. MeshCentral is a legitimate open-source remote monitoring platform, which made its presence harder for defenders to immediately flag as malicious.

The attackers configured these agents to masquerade as Microsoft Azure services. Filenames such as meshagent64-azure-ops.exe were used specifically to blend in with expected enterprise cloud tooling. Command-and-control traffic routed through a domain built to mimic Azure infrastructure naming conventions.

Observed post-exploitation indicators:

  • Windows MeshCentral agents named meshagent64-azure-ops.exe and meshagent64-v2.exe
  • A 32-bit Windows variant named meshagent32-azure-ops.exe
  • An unconfigured Linux MeshCentral agent binary
  • C2 communications directed to a domain disguised as Azure infrastructure
  • Defacement marker files left behind warning victims they had been compromised

Stage Four: Internal Reconnaissance and Lateral Movement

With persistent remote access established through the disguised MeshCentral agents, the attackers conducted internal reconnaissance of PeopleSoft configurations. They deployed lateral movement scripts to expand their foothold across the compromised environment and identify additional valuable data sources.

Host-based indicators of this stage include:

  • Unexpected JSP files appearing under PSEMHUB application directories
  • Unauthorized files or directories under PSEMHUB transaction metadata paths
  • New directories named logs, persistantstorage, or scratchpad under PSEMHUB paths that should not normally appear
  • Recently modified XML files under environment metadata directories, potentially indicating XMLDecoder-based persistence

Stage Five: Data Compression and Exfiltration

In the final stage of this PeopleSoft zero-day attack chain, the threat actor compressed exfiltrated data using zstd compression before transferring it out of the victim environment. Attackers established outbound SSH connections to infrastructure hosting a public mirror of the ShinyHunters Data Leak Site.

Stolen data archives from this campaign began appearing publicly on the ShinyHunters Data Leak Site on June 9, 2026, a full day before Oracle's security advisory reached the public.

Threat Actor Behind the PeopleSoft Zero-Day

Mandiant attributes this campaign to UNC6240, more widely known by its public alias ShinyHunters. This is a financially motivated cybercriminal collective with a long track record of data theft and extortion operations.

ShinyHunters has previously targeted cloud services, SaaS platforms, and telecommunications providers. The group typically favors weak authentication controls, stolen credentials, and cloud misconfigurations over building custom malware, which makes its decision to weaponize a genuine zero-day vulnerability in this campaign particularly notable.

Why the PeopleSoft Zero-Day Matters for Every Organization

This PeopleSoft zero-day is not a niche risk confined to a single industry. The combination of unauthenticated remote code execution and a widely deployed ERP platform creates exposure across multiple sectors simultaneously.

Enterprise and higher education impact:

  • PeopleSoft manages core functions including HR, payroll, finance, and campus operations, meaning a breach exposes deeply sensitive personal data
  • Universities and colleges accounted for 68 percent of notified victims, reflecting how widely PeopleSoft is deployed across the education sector
  • Student records, financial aid data, payroll information, and faculty personal data are all plausible targets within a compromised PeopleSoft environment

Operational disruption risks:

  • Organizations running unsupported or unpatched PeopleTools versions face immediate compromise risk
  • The Environment Management Hub component, if left exposed, gives attackers a direct path to full server control
  • Extortion tactics used by ShinyHunters typically threaten public data publication unless a ransom is paid, adding reputational pressure on top of technical remediation work

Financial and regulatory exposure:

  • Higher education institutions face FERPA compliance obligations tied to student record exposure
  • Organizations handling payroll and HR data through PeopleSoft may trigger GDPR, state breach notification laws, or sector-specific regulatory reporting requirements
  • Incident response, forensic investigation, and extortion negotiation costs add substantial financial burden beyond the technical remediation itself

Cloud security implications:

  • The disguised MeshCentral agents specifically mimicked Microsoft Azure naming conventions, demonstrating how attackers exploit blind trust in recognized cloud brand names
  • Security teams that whitelist traffic based on filename or apparent vendor origin without deeper inspection are vulnerable to this exact disguise technique

Five Real-World Attack Scenarios

Scenario 1: University Student Records Exposed

A large public university runs PeopleSoft PeopleTools 8.61 for student information management. Attackers exploit the PeopleSoft zero-day through the exposed Environment Management Hub endpoint, achieve remote code execution, and exfiltrate student financial aid records and Social Security numbers before the university's security team even knows the vulnerability exists.

Scenario 2: Payroll System Compromise at a Mid-Size Enterprise

A mid-size enterprise uses PeopleSoft for payroll and HR processing. Attackers exploit the SSRF endpoint, deploy a disguised MeshCentral agent posing as Azure infrastructure, and quietly exfiltrate employee banking details and Social Security numbers over several days before detection.

Scenario 3: SMB Hash Capture Enables Domain Compromise

A mid-size organization's PeopleSoft server is forced to make an outbound SMB connection as part of the exploit chain. Attackers capture the server's NetNTLM hash, crack it offline, and use the recovered credentials to pivot into the broader Windows domain environment well beyond the original PeopleSoft application.

Scenario 4: Delayed Detection Due to Disguised Tooling

A security operations team notices unusual outbound traffic but dismisses it after seeing a process named meshagent64-azure-ops.exe, assuming it is legitimate Azure-related tooling. The disguise buys the attacker additional weeks of undetected access before a deeper investigation reveals the true nature of the process.

Scenario 5: Extortion Following Silent Data Theft

An organization patches the PeopleSoft zero-day promptly after Oracle's advisory but does not investigate for prior compromise. Weeks later, stolen data from their environment appears on the ShinyHunters Data Leak Site, revealing that the attackers had already exfiltrated sensitive records during the two-week window before the patch was even available.

How to Detect PeopleSoft Zero-Day Exploitation in Your Environment

Patching alone is not sufficient given that exploitation of this PeopleSoft zero-day began two weeks before any patch existed. Every organization running affected PeopleTools versions should actively hunt for signs of prior compromise.

Logging You Must Review Immediately

  • Review web server access logs for HTTP POST requests to /PSEMHUB/hub from external source IP addresses
  • Review logs for POST requests to /PSIGW/HttpListeningConnector containing loopback addresses or internal IP ranges in request headers or parameters
  • Enable detailed logging on all PeopleSoft Internet Architecture components going forward
  • Audit outbound SMB traffic logs on TCP port 445 from PeopleSoft servers to any external destination

Network and EDR Monitoring Priorities

  • Alert on any outbound connection from PeopleSoft application servers to unfamiliar external IP addresses
  • Flag processes with filenames resembling meshagent64-azure-ops.exe, meshagent64-v2.exe, or meshagent32-azure-ops.exe
  • Monitor for WebSocket connections to domains designed to mimic Microsoft Azure naming patterns
  • Treat any unexpected MeshCentral agent installation as a critical alert requiring immediate investigation

File and Host-Based Indicators to Hunt For

  • Search for unexpected JSP files under PSEMHUB application directories
  • Search for unauthorized files or directories under PSEMHUB transaction metadata paths
  • Look for new directories named logs, persistantstorage, or scratchpad under PSEMHUB paths
  • Search for recently modified XML files under environment metadata directories that could indicate XMLDecoder-based persistence
  • Search for any defacement or extortion marker files left behind on compromised systems

SIEM Correlation Rules

  • Correlate PSEMHUB or PSIGW endpoint access with subsequent outbound SMB connections within the same session
  • Correlate new process creation matching MeshCentral agent naming patterns with outbound WebSocket traffic
  • Flag PeopleSoft server authentication anomalies occurring shortly after suspicious endpoint access
  • Build a rule to alert on any zstd compression activity occurring on PeopleSoft application servers, since this is unusual for normal operations

Threat Hunting Guidance

  • Assume compromise if your organization ran affected PeopleTools versions with externally exposed Environment Management Hub access between May 27 and June 10, 2026
  • Conduct full forensic review of PeopleSoft servers even after patching, since the patch does not remove any prior compromise
  • Review captured NetNTLM hash usage across your broader Windows domain for signs of lateral movement originating from PeopleSoft infrastructure
  • Check whether any data matching your organization has appeared on known extortion data leak sites

Mitigation Steps to Stop PeopleSoft Zero-Day Attacks

Acting immediately is critical given the confirmed two-week exploitation window that existed before any patch was available.

Patch on an Emergency Basis

  • Apply Oracle's out-of-band patch for CVE-2026-35273 immediately, without waiting for a standard patch cycle
  • Verify patch deployment across every PeopleSoft instance running PeopleTools 8.61 or 8.62
  • Confirm patch status through your vulnerability management platform and prioritize any PeopleSoft Enterprise Applications instances as well

Apply Compensating Controls Immediately

  • Disable the Environment Management Hub service entirely in multi-server configurations if it is not actively required
  • Remove the PSEMHUB application completely in single-server configurations where feasible
  • Block external network access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the firewall or network perimeter level
  • Confirm that restricting these endpoints does not break standard end-user PeopleSoft browser sessions before deploying the block broadly

Strengthen Identity and Access Controls

  • Enforce multi-factor authentication across all PeopleSoft administrative accounts
  • Review and rotate credentials for any account with PeopleSoft administrative access
  • Apply least privilege principles to limit the blast radius of any future PeopleSoft compromise
  • Audit service accounts associated with PeopleSoft infrastructure for unnecessary privileges

Apply Zero Trust and Segmentation

  • Segment PeopleSoft application servers from the broader corporate network to limit lateral movement potential
  • Apply Zero Trust network access principles to any administrative interface associated with PeopleSoft
  • Restrict outbound SMB traffic from PeopleSoft servers to only explicitly required internal destinations

Monitor and Harden Endpoints

  • Deploy endpoint monitoring capable of detecting unauthorized remote management agent installations
  • Apply application allowlisting on PeopleSoft application servers to prevent unauthorized executable installation
  • Monitor outbound SMB traffic continuously rather than as a one-time assessment

Validate Backups and Prepare for Incident Response

  • Confirm that backups of PeopleSoft data and configuration are current, clean, and tested for recovery
  • Maintain offline backup copies that remain unreachable in the event of a future compromise
  • Prepare an incident response plan specifically addressing potential data exposure scenarios given ShinyHunters' extortion tactics

Conduct Access Reviews and Proactive Threat Hunting

  • Conduct an access review of all accounts that interacted with PeopleSoft infrastructure during the exploitation window
  • Initiate a dedicated threat hunting engagement focused specifically on the indicators outlined in this article
  • Engage a third-party incident response team if any indicators of compromise are confirmed within your environment

What This Campaign Tells Us About the Future of ERP Security

This PeopleSoft zero-day is a clear signal that enterprise resource planning platforms have become high-value targets for sophisticated and financially motivated threat actors alike.

ERP platforms hold concentrated, high-value data. PeopleSoft manages payroll, HR, finance, and in many cases entire campus operations. A single successful exploit chain can expose years of accumulated personal and financial data in one campaign, making ERP platforms an efficient target for extortion-focused groups like ShinyHunters.

Financially motivated groups are weaponizing genuine zero-days. ShinyHunters has historically relied on stolen credentials and misconfigurations rather than original vulnerability research. Their use of a genuine zero-day in this campaign suggests financially motivated actors are increasingly willing to invest in or acquire serious exploitation capability when the payoff justifies it.

Legitimate tooling makes detection harder. Disguising MeshCentral agents as Microsoft Azure services exploited defenders' tendency to trust recognized cloud brand naming. Security teams need behavioral detection that does not rely solely on filename or apparent vendor identity.

Old vulnerabilities cast long shadows. The reappearance of the /PSIGW/HttpListeningConnector path, previously tied to vulnerabilities from 2013 and 2017, shows that legacy integration components in mature enterprise software remain a persistent source of risk years after their initial disclosure.

The lesson for security leadership is direct. Any externally exposed ERP administrative interface deserves the same scrutiny as a public-facing web application. Network segmentation, continuous monitoring, and rapid emergency patching capability are no longer optional for organizations running PeopleSoft or comparable enterprise platforms.

Key Takeaway

This PeopleSoft zero-day, tracked as CVE-2026-35273, gave the ShinyHunters extortion group nearly two weeks of unauthenticated remote code execution access before Oracle even knew the vulnerability existed. The attack chain combined a server-side request forgery flaw with disguised MeshCentral remote access tooling, internal reconnaissance, and zstd-compressed data exfiltration to a public extortion leak site.

Higher education institutions bore the heaviest impact, but any organization running PeopleSoft PeopleTools 8.61 or 8.62 faces direct exposure and should assume compromise is possible even after patching.

Summary of critical actions:

  • Apply Oracle's emergency patch for CVE-2026-35273 immediately
  • Disable or restrict the Environment Management Hub if not actively required
  • Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector
  • Hunt for disguised MeshCentral agents and unexpected PSEMHUB directory contents
  • Review outbound SMB traffic for signs of NetNTLM hash capture
  • Assume compromise occurred between May 27 and June 10, 2026, and investigate accordingly
  • Treat any confirmed indicator of this PeopleSoft zero-day as requiring immediate incident response

The two-week silent exploitation window behind this PeopleSoft zero-day is the real lesson here. Patching closes the door going forward, but only a thorough compromise assessment confirms whether attackers already walked through it.

Frequently Asked Questions About the PeopleSoft Zero-Day

What is the PeopleSoft zero-day vulnerability CVE-2026-35273?

The PeopleSoft zero-day is a critical server-side request forgery vulnerability in Oracle PeopleSoft Enterprise PeopleTools that escalates to full remote code execution. It carries a CVSS score of 9.8, requires no authentication, and affects PeopleTools versions 8.61 and 8.62. Mandiant confirmed the flaw was exploited in the wild for nearly two weeks before Oracle published its advisory.

Is the PeopleSoft zero-day still being actively exploited?

Mandiant and Google Threat Intelligence Group confirmed active exploitation between May 27 and June 9, 2026, attributed to the ShinyHunters extortion group. While Oracle released an emergency patch on June 10, 2026, organizations that have not yet patched remain exposed, and any organization that was vulnerable during the exploitation window should assume potential prior compromise.

How does the PeopleSoft zero-day attack work?

The PeopleSoft zero-day works by exploiting the Environment Management Hub through the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints to trigger server-side request forgery, which then escalates to remote code execution. After gaining access, attackers deployed disguised MeshCentral remote management agents, conducted internal reconnaissance, and exfiltrated data using zstd compression before publishing stolen records on a public extortion leak site.

Why is the PeopleSoft zero-day so dangerous?

The PeopleSoft zero-day is dangerous because it requires no authentication and allows complete server takeover. It also exploited a two-week window before any patch existed, meaning organizations had no opportunity to defend against the initial wave of attacks. The use of disguised MeshCentral agents posing as Microsoft Azure services made post-exploitation activity significantly harder to detect using standard monitoring approaches.

Who is affected by the PeopleSoft zero-day?

Organizations running Oracle PeopleSoft Enterprise PeopleTools versions 8.61 or 8.62 with an exposed Environment Management Hub are directly affected by the PeopleSoft zero-day. Higher education institutions represented 68 percent of the more than 100 organizations notified by Google, but the vulnerability affects any sector using these PeopleSoft versions, including enterprises managing payroll, HR, and finance operations through the platform.

How should organizations respond to the PeopleSoft zero-day?

Organizations should respond to the PeopleSoft zero-day by applying Oracle's emergency patch immediately and disabling or restricting access to the Environment Management Hub. Security teams should then conduct a full compromise assessment covering the May 27 to June 10, 2026 exploitation window, searching specifically for disguised MeshCentral agents, unexpected PSEMHUB directory contents, and signs of NetNTLM hash capture through outbound SMB traffic. Any confirmed indicator should trigger immediate incident response procedures.

author avatar
social
See Full Bio
Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations