ShinyHunters exploited a critical Oracle PeopleSoft zero-day to breach over 100 organizations, mostly universities, before a patch was available.Mandiant and Google’s Threat Intelligence Group published an analysis of an active ShinyHunters campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited. The gap matters: the activity ran from May 27 to June 9, meaning every organization hit during those two weeks was dealing with a zero-day, a flaw with no available patch and no official vendor warning. Sixty-eight percent of the more than 100 organizations Mandiant notified were universities and colleges, most of them in the United States.The flaw, CVE-2026-35273 (CVSS score of 9.8), is a remote code execution vulnerability in Oracle PeopleSoft’s Environment Management component, rated 9.8 out of 10. No authentication required. No user interaction required. Just network access to the Environment Management Hub endpoint and you can take over the server. “Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.” reads the report published by Google. “The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle’s June 10, 2026 advisory, the vulnerability was exploited as a zero-day.”PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.The attackers left their staging infrastructure exposed, which is how Mandiant got a detailed look at the operation. Researcher @nahamike01 publicly flagged open directories on five sequential IP addresses, all running Python’s built-in HTTP server on port 8888. Mandiant triaged all five and found a shared .bash_history file, identical across every host, that laid out the entire operation in timestamped detail. If you’re going to run a sophisticated zero-day campaign against universities, at least password-protect your file server.“The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe.” reads the report. “Static analysis indicates these agents were hardcoded to establish communication with the command and control (C2) server wss://azurenetfiles.net:443/agent.ashx.” The domain was chosen to look like Microsoft Azure NetApp Files. MeshCentral is legitimate open-source remote management software, which means the traffic blends into normal administrative activity and doesn’t trigger obvious alerts.The command history tells the full operational story. On May 27 at 22:14 UTC, the attackers installed MeshCentral version 1.1.59. Eleven minutes later they installed acme-client to automate Let’s Encrypt SSL certificate provisioning for azurenetfiles.net, giving their C2 a valid certificate. They then used MeshCentral’s CLI tool meshctrl.js to run commands on compromised endpoints: mapping Oracle PeopleSoft configurations, reading process scheduler config files, parsing internal host tables, and inspecting WebLogic XML configs to identify additional targets inside each victim network.Attackers performed lateral movement through a script named [victim_abbreviation]_fanout.sh, written directly to /tmp on compromised hosts and executed remotely via MeshCentral. The script parses /etc/hosts for internal PeopleSoft node hostnames, then sprays a hardcoded list of usernames and passwords against each one over SSH. On successful login it copies a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories, both as an extortion marker and as a propagation confirmation the operators could verify remotely. Exfiltration went out compressed with zstd, followed by an outbound SSH connection to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters data leak site.The University of Nottingham is among the first confirmed victims. Have I Been Pwned has indexed approximately 455,000 unique email addresses from the leaked data, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and records on ethnicity and disabilities. ShinyHunters has said that victim outreach has only just started and most compromised organizations haven’t been posted yet.For any organization running Oracle PeopleSoft right now, the immediate priority is isolation. Oracle’s guidance is to disable the Environment Management Hub service entirely on multi-server setups, or remove the PSEMHUB application on single-server setups. If neither is possible, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter. “Endpoint Access Restrictions: If you cannot disable the EMHub Service, immediately block external network access to the sensitive endpoints /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Relying solely on Web Application Firewall (WAF) body-inspection rules is insufficient, as these controls can be bypassed.” concludes the report.Restricting these endpoints doesn’t break normal user sessions; EMHub and the Integration Broker Listening Connector are administrative components, not user-facing ones. Then hunt: check WebLogic access logs for external POST requests to those paths, scan for unexpected JSP files under the PSEMHUB.war directory, look for directories named logs, persistantstorage, or scratchpad under PSEMHUB paths, and monitor for outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, ShinyHunters)