Zero-Day Active Exploitation

ShinyHunters rode a PeopleSoft zero-day into 100 organizations

June 12, 2026·9 min read·Chris Boker
Oracle PeopleSoft PSEMHUB pre-authentication remote code execution exploited by ShinyHunters

On June 10, 2026 Oracle published an emergency out-of-band Security Alert for CVE-2026-35273, a pre-authentication remote code execution flaw in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools that scores CVSS 9.8 and needs nothing more than HTTP network access to fully compromise an exposed server, with no credentials and no user interaction required at any step of the chain (The Hacker News, Help Net Security). The patch shipped because attackers were already inside, since Google Mandiant told reporters and customers that a cluster it tracks internally as UNC6240, which the broader research community knows publicly as ShinyHunters, had been exploiting the bug in the wild from roughly May 27 through June 9, 2026, which made the entire fortnight before disclosure a live zero-day window against the affected PSEMHUB service (Google Cloud Threat Intelligence, SecurityWeek).

Inside that window the blast radius is already on paper rather than hypothetical, because ShinyHunters claims at least 100 breached organizations across the 300 vulnerable internet-facing instances the campaign mapped, the University of Nottingham has publicly confirmed the theft of about 40 GB of student and billing data, and Mandiant's victimology shows roughly 68 percent of confirmed victims sitting in US higher education, which is exactly where the older PeopleSoft Campus Solutions footprint is densest and most likely to be exposed to the open internet (The Register, BleepingComputer). Post-exploitation was tight, with custom MeshCentral agents masquerading as cloud endpoints for command and control and automated SSH credential-spraying scripts pivoting from the compromised application servers into the broader campus network (Google Cloud Threat Intelligence).

Quick status: If you operate Oracle PeopleSoft Enterprise PeopleTools with the Updates Environment Management component (PSEMHUB) reachable from the internet, treat every one of those hosts as a probable foothold for ShinyHunters and apply the Oracle June 10, 2026 out-of-band Security Alert today, because Oracle has not yet published precise version boundaries and the safe operating assumption until your patch is confirmed applied is that all internet-accessible deployments are affected (Help Net Security).

Why this class of risk slips past your program

PeopleSoft is exactly the kind of system an exposure program is statistically prone to mis-rank, because the application name reads as a tier-one ERP and the database behind it is correctly tagged as crown-jewel data, yet the actual internet-exposed surface that mattered here is a niche maintenance hub called the Updates Environment Management component, which a perimeter scanner sees as a few open ports on a server in the same VLAN as the PeopleSoft web front-end and which most CMDBs record as a single PeopleSoft asset rather than as a separately governed administrative service with its own authentication assumptions (The Hacker News).

The result is a familiar gap. PSEMHUB was historically treated as plumbing reachable only from trusted update workflows, so it shipped without strict ingress segmentation, and because the component sat inside an application that already carried a heavy authentication footprint nobody questioned whether the hub itself fronted a credential check before the bug landed in the open. Higher education compounds the problem because PeopleSoft fleets there run on long upgrade cycles, application servers are jointly managed by central IT and a campus enrollment systems team, and student-facing services have to reach the front door from anywhere, so the surrounding administrative hosts end up reachable too. None of that is a story about a missing patch on June 10, since the fix did not exist for the two weeks that mattered, and the only meaningful pre-disclosure defense was knowing which hosts actually exposed PSEMHUB and pulling them off the internet.

Prioritizing with TRIS

A raw CVSS triage files CVE-2026-35273 at 9.8 and parks it next to the other unremarkable critical advisories an enterprise queue holds in any given week, which is the exact failure mode that TRIS, the multi-layer Threat and Risk Intelligence Scoring engine inside CVEasy AI, was built to correct by weighing the signals that decide whether a finding is genuinely urgent inside your environment rather than only sharp on paper.

  • Active exploitation. A two-week zero-day window confirmed by Google Mandiant, a publicly attributed named actor in ShinyHunters and the UNC6240 cluster, and an Oracle out-of-band Security Alert on June 10, 2026 together drive the exploitation layer to the maximum the engine can express (Google Cloud Threat Intelligence, SecurityWeek).
  • Blast radius. The 300 internet-facing instances Mandiant mapped, the 100 plus confirmed breaches, the 40 GB Nottingham theft, and the concentration in higher education together describe a population where one compromise routinely converts into student record exfiltration and a domain-wide intrusion via the SSH credential-spraying that follows initial code execution (The Register, BleepingComputer).
  • Real exposure. TRIS narrows the alert to the PeopleSoft application servers that actually expose the Updates Environment Management component to the open internet on the running PeopleTools build your last sync ingested, which collapses the list to the hosts that have to be patched today and the smaller set that should be pulled off the internet and audited against the Mandiant indicators before they come back online.

Remediation steps

  1. Apply the Oracle out-of-band Security Alert published on June 10, 2026 to every PeopleSoft Enterprise PeopleTools host that runs the Updates Environment Management component, and confirm the patched build on each application server, because Oracle has not yet declared specific version boundaries and the operationally safe posture is to treat every running PeopleTools deployment as in scope until verified (Help Net Security, BleepingComputer).
  2. Block external HTTP access to PSEMHUB at the perimeter immediately, restrict the relevant port to the internal hosts that legitimately drive the update workflow, and keep that restriction in place after the patch lands so the next bug in the same surface has no exposed reach (The Hacker News).
  3. Review web server, application server, and host logs on every internet-reachable PeopleSoft host from May 27, 2026 onward for the Mandiant indicators this campaign left behind, which include anomalous scripts in /tmp, unexpected MeshCentral or Rclone processes, and defacement markers under the WebLogic and Process Scheduler directories (Google Cloud Threat Intelligence).
  4. Rotate every credential reachable from any potentially compromised PeopleSoft host, including local accounts, database connection strings, integration broker credentials, and SSH keys, and assume lateral movement targeted those secrets first because the post-exploitation pattern in this campaign was credential theft and pivot rather than ransomware deployment (SecurityWeek).
  5. If your incident review surfaces evidence of student, employee, or financial data exfiltration, treat the event as a confirmed data breach under your applicable notification obligations, and pair the legal work with a forensic preservation step on every affected application server so the later investigation can reconstruct what left the building between May 27 and the day you took the host offline.
The patch is the start, not the end. An Oracle out-of-band Security Alert lands on June 10, but a two-week zero-day window means the operationally defensible posture is to assume any internet-facing PSEMHUB was reached, then run a credential rotation and a backward log review against the Mandiant indicators before the affected hosts return to normal traffic.

How CVEasy AI surfaces this

When an actively exploited pre-authentication RCE lands on a tier-one ERP, CVEasy AI ingests the Oracle Security Alert, the Google Cloud Threat Intelligence writeup, and the corroborating reporting within minutes and runs the combined picture through TRIS against the PeopleSoft inventory that lives entirely on your own hardware. The platform answers the questions that decide the next seventy-two hours, namely which PeopleTools application servers expose the Updates Environment Management component to the internet, which hosts still run an unpatched build after Oracle's June 10 release, which servers logged anomalous /tmp scripts or unexpected MeshCentral and Rclone processes since May 27, and which credentials reachable from those servers need rotation today. As the number one local-first CTEM platform, CVEasy AI keeps that picture on your side of the wire and feeds the BASzy attack validation module a clean target list so the team can prove the patched PSEMHUB no longer accepts the exploitation primitive.

References

The next ERP zero-day will not wait for your next change window.

CVEasy AI ingests vendor Security Alerts and threat intelligence as they land and ranks your real ERP exposure with TRIS, on your own hardware, in minutes.

Get CVEasy AI → Zero-Day Exploits →

Related Reading

CISA KEV
Check Point VPN IKEv1 Auth Bypass
An IKEv1 authentication bypass and a Qilin ransomware tie.
CISA KEV
KEV Deep Dive
The catalog you should be monitoring daily.
Zero-Day
Zero-Day Exploit Lifecycle
What happens in the window before the patch.