Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
Cybersecurity NewsArchived Jun 12, 2026✓ Full text saved
Mandiant and Google Threat Intelligence Group (GTIG) have issued a critical warning after identifying an active compromise-and-extortion campaign targeting Oracle PeopleSoft infrastructure, attributed to the notorious threat actor UNC6240, also known as ShinyHunters. The campaign exploited CVE-2026-35273, a critical unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8, as a zero-day before […] The post Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks b
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Attack News
Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
By Guru Baran
June 12, 2026
Mandiant and Google Threat Intelligence Group (GTIG) have issued a critical warning after identifying an active compromise-and-extortion campaign targeting Oracle PeopleSoft infrastructure, attributed to the notorious threat actor UNC6240, also known as ShinyHunters. Threatactor profiles
The campaign exploited CVE-2026-35273, a critical unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8, as a zero-day before Oracle published its advisory on June 10, 2026.
The malicious activity was observed between May 27 and June 9, 2026, with attacks targeting the Environment Management Hub (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62.
Google Threat Intelligence Group notified over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints, with 68% of victims concentrated in the higher education sector, including universities and colleges worldwide.
The University of Nottingham confirmed unauthorized activity on its systems, with reports indicating approximately 40 gigabytes of stolen data, including student records, financial aid data, health records, and immigration details.
Oracle PeopleSoft 0-Day RCE Vulnerability
GTIG triaged five sequential attacker-controlled staging IP addresses, 142.11.200.186 through 142.11.200.190, each hosting a Python SimpleHTTP server on port 8888.
These exposed directory contents included attacker command histories, staging materials, and pre-configured MeshCentral remote management agents.
The Windows agent binaries were disguised as legitimate Microsoft Azure services (meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe) and hardcoded to establish C2 communications with wss://azurenetfiles.net:443/agent.ashx — a domain crafted to mimic legitimate Microsoft Azure NetApp Files endpoints.
The attackers established their staging environment on May 27, 2026, at 22:14 UTC by installing MeshCentral v1.1.59, followed at 22:25 UTC by the acme-client npm package to automate Let’s Encrypt SSL certificate provisioning for the masquerading domain.
Using the meshctrl.js CLI, they executed targeted reconnaissance commands on compromised hosts, mapping Oracle PeopleSoft configurations by inspecting psappsrv.cfg, auditing active NFS mounts, and reading WebLogic config.xml files to map internal application servers.
Lateral movement was automated via a custom propagation script [victim_abbreviation]_fanout.sh deployed to /tmp, which performed SSH credential spraying against internal hosts parsed from /etc/hosts.
Upon successful authentication, the script dropped a defacement and extortion marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories.
Exfiltrated data was compressed using zstd before the attackers established an outbound SSH connection to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters Data Leak Site (DLS). Stolen data archives were published on the DLS on June 9, 2026.
ShinuHunters Claim (Source: Google)
Key IOCs
Indicator Type Description
142.11.200.186–.190 IP Addresses Attacker staging servers
azurenetfiles.net Domain C2 masquerading domain
meshagent64-azure-ops.exe SHA-256: f02a924c... Pre-configured Windows agent
meshagent32-azure-ops.exe SHA-256: c7e93327... Pre-configured Windows agent
.bash_history SHA-256: 2ab684d9... Attacker command history
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT Filename Extortion marker
Organizations are strongly advised to apply Oracle’s emergency advisory for CVE-2026-35273 and remain on actively supported PeopleSoft versions with all Critical Patch Updates applied without delay.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials
Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader
UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials
GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan
Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks
Latest News
Cyber Security News
OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors
Cyber Security News
GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers
Cyber Security News
Critical Langflow Vulnerability Exploited to Execute Malicious Code
Cyber Security News
Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking
Cyber Security News
Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty