ShinyHunters Were Inside Two Weeks Before Oracle Noticed

On June 10, 2026, Oracle published an emergency advisory for a critical flaw in PeopleSoft, calling the patch “a high-priority risk reduction measure.” As reported by CSO Online, the advisory urged immediate patching but gave no indication the flaw was being actively exploited.

By then, ShinyHunters had already been exploiting it as a zero-day for two weeks. Google would later notify more than 100 organizations with potentially vulnerable endpoints; at least some had already been compromised, and stolen data from those victims started appearing on a leak site the day before Oracle’s advisory even shipped.

This is CVE-2026-35273 — an unauthenticated, SSRF-driven remote code execution bug in PeopleSoft’s Environment Management Hub, exploited as a zero-day against universities primarily in the United States, with at least one confirmed victim in the UK. It is the second time in five weeks that ShinyHunters has hit higher education at scale, and the attack vector has nothing in common with the first.

TL;DR

CVE-2026-35273 is an unauthenticated SSRF-to-RCE flaw in PeopleSoft Enterprise PeopleTools (versions 8.61/8.62), CVSS 9.8, via the Environment Management Hub (PSEMHUB).

Mandiant/Google Threat Intelligence Group confirmed UNC6240 (ShinyHunters) exploited it as a zero-day between May 27 and June 9, 2026 — roughly two weeks before Oracle’s June 10 advisory.

The CVE was added to CISA’s KEV catalog on June 12, 2026.

Google notified 100+ organizations; 68% were higher education institutions. University of Nottingham confirmed a breach affecting close to 500,000 current and former students.

ShinyHunters claims to have stolen 40GB of billing, payment, and student finance data and threatened further leaks against a payment deadline — that figure is the attacker’s own claim, not independently verified.

This is the same threat actor that breached Canvas LMS in May 2026 — same sector, completely different attack technique.

The Vulnerability: SSRF Into Remote Code Execution

CVE-2026-35273 affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 (Oracle’s advisory reportedly also flags potentially earlier, unsupported versions) in the Environment Management component. Rapid7’s analysis classifies the root cause as server-side request forgery (SSRF) in the Environment Management Hub that an attacker can turn into remote code execution — over plain HTTP, with no authentication and no user interaction. CVSS 9.8.

Rapid7 ties exploitation to two endpoints:

/PSEMHUB/hub
/PSIGW/HttpListeningConnector

PSEMHUB exists to let PeopleSoft’s Environment Management agents talk to a central hub across a server farm. It is meant to be internal infrastructure. When it is reachable from the internet — which appears to have been common enough that Google ended up notifying 100+ organizations with exposed endpoints — it becomes a pre-authentication path straight into the application server.

There’s an awkward detail in Oracle’s own response: at the time the advisory shipped, the linked “patch availability document” was only accessible to customers with an active support account, so for some organizations even confirming whether a patch existed required a support login. That gap is part of why “disable or block the endpoint” is listed below as a parallel step, not a fallback.

Two Weeks Inside Before Anyone Outside Noticed

Mandiant/GTIG’s confirmed timeline is the core of this story:

May 27, 2026, 22:14 UTC — MeshCentral v1.1.59 installed for C2 staging, using binaries renamed to look like Azure tooling (meshagent64-azure-ops.exe, meshagent64-v2.exe).
May 27, 2026, 22:25 UTC — acme-client installed to auto-issue a Let’s Encrypt certificate for the attacker’s C2 domain, giving it a valid TLS padlock.
May 29, 2026, 18:46 UTC — Authenticode signing tool availability checked.
May 27 – June 9, 2026 — active compromise, lateral movement, and data exfiltration.
June 9, 2026 — open, unauthenticated staging directories discovered publicly; stolen data published on the ShinyHunters Data Leak Site (DLS).
June 10, 2026 — Oracle’s out-of-band advisory, with no acknowledgment of active exploitation.
June 11, 2026 — Mandiant/GTIG publish their campaign analysis, confirming exploitation began May 27.
June 12, 2026 — CVE-2026-35273 added to CISA’s KEV catalog.

The sequence is the actual story here: the advisory, the confirmation that it had already been exploited for two weeks, and the leak site post all landed within 72 hours of each other — in the wrong order for anyone trying to patch ahead of the threat.

Inside the Campaign

Once inside, the operators moved laterally using SSH credential spraying. Mandiant identified a script — pattern [victim_abbreviation]_fanout.sh — that parses /etc/hosts for entries matching naming patterns like csprd[0-9] and attempts logins with hardcoded credentials via sshpass, targeting WebLogic and Process Scheduler directories:

$BASE/webserv/CSPRD
$BASE/webserv/CSPRD02
$BASE/appserv/prcs

Compromised hosts received a defacement/extortion marker:

README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT

Data was compressed with zstd before exfiltration:

pv -s "$(du -sb exfil | awk '{print $1}')" | zstd -3 -T0 -o exfil.tar.zst

Command and control ran over MeshCentral — legitimate open-source remote management software — rebranded to look like Azure operations tooling, communicating over wss://azurenetfiles[.]net:443/agent.ashx. Using a real, signed, TLS-fronted remote-management product instead of custom malware is a deliberate choice: it blends into normal admin traffic and gives EDR less to flag on file reputation alone.

Confirmed, Claimed, and Assessed

Statement	Status
CVE-2026-35273 is an unauthenticated SSRF/RCE flaw in PeopleSoft PeopleTools 8.61/8.62, CVSS 9.8	Confirmed — Oracle advisory, corroborated by Rapid7
UNC6240 (ShinyHunters) exploited it as a zero-day between May 27 and June 9, 2026	Confirmed — Mandiant/GTIG campaign report
Oracle’s June 10 advisory did not acknowledge active exploitation	Reported by CSO Online; Oracle did not respond to CSO’s request for comment
100+ organizations notified; 68% in higher education	Confirmed — Google/Mandiant
University of Nottingham breached, ~500,000 current/former students affected	Confirmed — reported by Help Net Security
40GB of billing, payment, and student finance data stolen	Claimed by ShinyHunters in their June 9 DLS post — not independently verified
ShinyHunters threatened further leaks against a payment deadline	Reported by CSO Online
This campaign is operationally linked to the May 2026 Canvas LMS breach	Not established — same actor, same sector, no confirmed technical or infrastructure overlap published

Why Universities, Twice in Five Weeks

This is the same group that breached Canvas LMS in May 2026 — affecting up to 275 million users through abused Free-For-Teacher accounts in a multi-tenant SaaS platform (see related post below). The PeopleSoft campaign shares nothing technical with that one. No shared infrastructure has been published, no shared tooling beyond the actor’s general playbook of extortion-via-DLS.

What they share is the target profile. Universities run PeopleSoft for HR, finance, and student records — often for decades, often with IT teams stretched across far more systems than headcount allows. That combination of high-value financial/PII data, large attack surface, and slower patch cycles makes higher education a target that rewards almost any working technique, not just one. The lesson isn’t “watch out for SaaS account abuse” or “watch out for ERP zero-days” — it’s that this actor will use whichever door is open, and education keeps leaving doors open.

Detection Ideas

Indicators of Compromise

Type	Indicator
Staging IPs	`142.11.200.186` – `142.11.200.190`
C2 domain	`azurenetfiles[.]net`
C2 protocol	`wss://azurenetfiles[.]net:443/agent.ashx`
DLS mirror IP	`176.120.22.24`
Lateral movement script	`*_fanout.sh`
Defacement marker	`README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT`

Filename	SHA-256
`meshagent64-azure-ops.exe`	`f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc`
`meshagent64-v2.exe`	`d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f`
`meshagent32-azure-ops.exe`	`c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f`
`meshagent` (Linux)	`68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309`
`.bash_history` (staged artifact)	`2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35`

Hunting Queries

Web/WAF logs — look for external traffic to the vulnerable endpoints:

index=web_logs uri_path IN ("/PSEMHUB/hub", "/PSIGW/HttpListeningConnector")
| where src_ip NOT IN (trusted_internal_ranges)
| stats count by src_ip, uri_path, http_method

EDR/process telemetry for the renamed MeshCentral agents:

DeviceProcessEvents
| where FileName has_any ("meshagent64-azure-ops.exe", "meshagent64-v2.exe", "meshagent32-azure-ops.exe", "meshagent")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath

Other signals worth correlating:

Unexpected .jsp files written under PSEMHUB.war paths — a classic webshell-via-SSRF pattern.
Outbound WSS/443 connections from PeopleSoft app or web servers to domains registered or certificate-issued in the last 30 days.
SSH authentication attempts against hosts matching csprd*-style naming, originating from a PeopleSoft server rather than an admin workstation.
Sudden outbound transfer spikes correlated with zstd/tar process execution on PeopleSoft hosts.

What Defenders Should Do Now

PeopleSoft administrators:

Apply Oracle’s patch once verified through your support account — do not wait for the standard quarterly cycle.
Whether or not the patch is confirmed applied, disable or remove the Environment Management Hub (PSEMHUB) service if it isn’t actively required.
Block external/internet access to /PSEMHUB/* and /PSIGW/* at the network perimeter. Neither should be internet-reachable.
Rotate credentials used by Environment Management agents and any internal accounts the SSH-spray script could plausibly have hit.

SOC/network teams:

Hunt the IOCs above across web, EDR, and DNS telemetry back to May 27, 2026 — Mandiant’s confirmed dwell time means today’s patch date doesn’t bound your exposure window.
Block and alert on azurenetfiles[.]net and the listed staging IPs.
Treat any PeopleSoft server with outbound WSS connections to non-corporate domains as compromised until proven otherwise.

Incident responders:

If any indicator matches, assume lateral movement via SSH credential spraying and audit every host referenced in /etc/hosts patterns like csprd* — not just the PeopleSoft server itself.
Preserve PSEMHUB.war directories, web server access logs, and bash history before remediation.
Treat ShinyHunters’ June 9 claims about stolen data volume as a floor, not a ceiling, until your own forensic review confirms scope.

The Gap That Matters

The distance between “no indication of active exploitation” and the truth here wasn’t a typo — it was two weeks, a published advisory, and an open leak site post, arriving in the wrong order. For a zero-day, the vendor advisory is not the start of the clock. By the time it appears, the people who already got in are usually finished. The right move is to hunt your own logs starting from the disclosure window, not from your patch date.

PeopleSoft’s Environment Management Hub just produced one of 2026’s highest-severity unauthenticated RCE bugs, in a system most security teams treat as a stable, internal-only legacy platform. That assumption is exactly what an attacker is counting on.

$10 Million Ransom, Four Days of Peace, and Then the Login Page Changed — the same threat actor’s previous education-sector breach, via Canvas LMS account abuse instead of a zero-day.
SSRF Explained: How Attackers Make Servers Fetch Secrets for Them — background on the vulnerability class behind CVE-2026-35273.
Vulnerability Exploitation Overtook Phishing — What That Means for Defenders — why zero-day exploitation windows like this one are becoming the dominant initial access vector.