ShinyHunters Exploited PeopleSoft Zero-Day for 13 Days Before Advisory

ShinyHunters exploited a CVSS 9.8 zero-day in Oracle PeopleSoft for 13 days before Oracle published anything. This was not a low-profile stealth operation — it was a large-scale extortion campaign with custom MeshCentral agent deployment, SSH credential spraying, and data exfiltration published on the group's Data Leak Site. At Tech86, we have seen this scenario repeatedly: the patch cycle cannot keep up with exploitation speed, and organizations with internet-facing ERPs pay the price.

The vulnerability and the exploitation window

CVE-2026-35273 is an unauthenticated remote code execution vulnerability in the PeopleSoft Environment Management Hub (PSEMHUB). No authentication. No user interaction. Low complexity. Network vector. CVSS 9.8.

Per Mandiant, the active exploitation window ran from May 27 to June 9, 2026. Oracle's advisory came on June 10. It was not a patch — it was a mitigation: disable PSEMHUB or block external access to /PSEMHUB/*. The full patch remains behind a customer login. Thirteen days between documented active exploitation and a public advisory. For anyone running security operations, that is an eternity.

According to TrendAI, which reported the vulnerability, there was limited exploitation. Oracle does not mention active exploitation in its advisory, per Oracle's advisory. Mandiant CTO Charles Carmakal publicly alerted about the campaign, per Mandiant.

The attack chain documented by Mandiant

Mandiant documented a structured attack chain that goes well beyond the initial PSEMHUB exploitation:

1. PSEMHUB exploitation → deployment of custom MeshCentral agents disguised as Azure services (meshagent64-azure-ops.exe, C2 at azurenetfiles.net with Let's Encrypt certificates). The disguise is deliberate: names and domains that look legitimate in network logs.

2. fanout.sh script → parses /etc/hosts for PeopleSoft hostnames, followed by SSH credential spraying with hardcoded credentials via sshpass. Automated lateral movement.

3. Defacement markers → README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT copied to WebLogic and Process Scheduler directories. The attacker wants the victim to know.

4. Exfiltration → zstd compression and transfer via SSH to the ShinyHunters Data Leak Site IP (176.120.22.24), per Mandiant.

5. Publication → data published on the DLS on June 9.

This is not a point exploitation. It is an extortion playbook with persistence, lateral movement, and structured exfiltration.

The real impact: sensitive data, not operational data

PeopleSoft runs HR, finance, and student records. The data leaked is the most sensitive data an institution holds: passport numbers, ethnicity, disabilities, payments. This is not operational data — it is data that can be used for identity fraud, discrimination, and direct extortion.

The University of Nottingham confirmed the breach. Per Have I Been Pwned, 454,600 records were verified: names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and enrollment and payment data.

Per Mandiant, over 100 organizations were notified whose IPs correlated with potentially vulnerable endpoints — not all confirmed as compromised. Of those, 68% were higher education institutions, mostly in the US, per Mandiant. ShinyHunters claims 300 instances across over 100 organizations — per ShinyHunters (attacker claim, not independent verification). Mandiant confirmed the scale of targeting but noted that several organizations successfully blocked the activity.

The mitigation that is not a fix

Per Oracle's advisory, the mitigation is to disable PSEMHUB or block external access to /PSEMHUB/*. This is the same recommendation Mandiant made. But per Mandiant, WAF with body-inspection is insufficient — it is bypassable. If you have PeopleSoft exposed to the internet, the correct mitigation is blocking /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter.

Mitigation is containment. It is not correction. The full patch remains restricted to customers with Oracle support access. Until the patch is applied, the attack surface remains.

The pattern that repeats

The 13-day window between active exploitation and advisory reflects the same pattern we have seen in other incidents throughout 2026. The difference here: it was not AI accelerating the exploit. It was an extortion group operating in an unpatched zero-day window — the same mismatch between attack speed and defense speed documented in other contexts.

At Tech86, we have seen this mismatch repeatedly. Defense needs to respond in hours, not weeks. EDR with behavioral detection identifies unauthorized MeshCentral agents, mass credential spraying, and anomalous exfiltration before data leaves the network. Real-time monitoring is not a luxury when the adversary has a 13-day head start.

Conclusion

CVE-2026-35273 is not an isolated incident — it is an exemplary case of how the window between exploitation and response defines the real impact. Thirteen days of active exploitation, 454K records leaked, mitigation instead of a patch. If your organization runs PeopleSoft exposed to the internet and has not blocked /PSEMHUB/* at the perimeter, the window is still open. At Tech86, we automate defense at the speed the adversary demands — with EDR, behavioral monitoring, and autonomous response. The patch cycle will not accelerate. Your defense must.