CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 12, 2026

Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters

Cybersecurity News Archived Jun 12, 2026 ✓ Full text saved

Mandiant and Google Threat Intelligence Group (GTIG) have issued a critical warning after identifying an active compromise-and-extortion campaign targeting Oracle PeopleSoft infrastructure, attributed to the notorious threat actor UNC6240, also known as ShinyHunters. The campaign exploited CVE-2026-35273, a critical unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8, as a zero-day before […] The post Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks b

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Attack News Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters By Guru Baran June 12, 2026 Mandiant and Google Threat Intelligence Group (GTIG) have issued a critical warning after identifying an active compromise-and-extortion campaign targeting Oracle PeopleSoft infrastructure, attributed to the notorious threat actor UNC6240, also known as ShinyHunters. Threatactor profiles The campaign exploited CVE-2026-35273, a critical unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8, as a zero-day before Oracle published its advisory on June 10, 2026. The malicious activity was observed between May 27 and June 9, 2026, with attacks targeting the Environment Management Hub (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. Google Threat Intelligence Group notified over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints, with 68% of victims concentrated in the higher education sector, including universities and colleges worldwide. The University of Nottingham confirmed unauthorized activity on its systems, with reports indicating approximately 40 gigabytes of stolen data, including student records, financial aid data, health records, and immigration details. Oracle PeopleSoft 0-Day RCE Vulnerability GTIG triaged five sequential attacker-controlled staging IP addresses, 142.11.200.186 through 142.11.200.190, each hosting a Python SimpleHTTP server on port 8888. These exposed directory contents included attacker command histories, staging materials, and pre-configured MeshCentral remote management agents. The Windows agent binaries were disguised as legitimate Microsoft Azure services (meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe) and hardcoded to establish C2 communications with wss://azurenetfiles.net:443/agent.ashx — a domain crafted to mimic legitimate Microsoft Azure NetApp Files endpoints. The attackers established their staging environment on May 27, 2026, at 22:14 UTC by installing MeshCentral v1.1.59, followed at 22:25 UTC by the acme-client npm package to automate Let’s Encrypt SSL certificate provisioning for the masquerading domain. Using the meshctrl.js CLI, they executed targeted reconnaissance commands on compromised hosts, mapping Oracle PeopleSoft configurations by inspecting psappsrv.cfg, auditing active NFS mounts, and reading WebLogic config.xml files to map internal application servers. Lateral movement was automated via a custom propagation script [victim_abbreviation]_fanout.sh deployed to /tmp, which performed SSH credential spraying against internal hosts parsed from /etc/hosts. Upon successful authentication, the script dropped a defacement and extortion marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories. Exfiltrated data was compressed using zstd before the attackers established an outbound SSH connection to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters Data Leak Site (DLS). Stolen data archives were published on the DLS on June 9, 2026. ShinuHunters Claim (Source: Google) Key IOCs Indicator Type Description 142.11.200.186–.190 IP Addresses Attacker staging servers azurenetfiles.net Domain C2 masquerading domain meshagent64-azure-ops.exe SHA-256: f02a924c... Pre-configured Windows agent meshagent32-azure-ops.exe SHA-256: c7e93327... Pre-configured Windows agent .bash_history SHA-256: 2ab684d9... Attacker command history README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT Filename Extortion marker Organizations are strongly advised to apply Oracle’s emergency advisory for CVE-2026-35273 and remain on actively supported PeopleSoft versions with all Critical Patch Updates applied without delay. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks Latest News Cyber Security News OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors Cyber Security News GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers Cyber Security News Critical Langflow Vulnerability Exploited to Execute Malicious Code Cyber Security News Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking Cyber Security News Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 12, 2026
    Archived
    Jun 12, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗