Oracle PeopleSoft Zero-Day CVE-2026-35273 Burned for Two Weeks: ShinyHunters Breach 100+ Organizations Through PSEMHUB

ShinyHunters spent roughly two weeks inside Oracle PeopleSoft Enterprise PeopleTools deployments before anyone outside the campaign knew the bug existed. Google Mandiant tracks the cluster as UNC6240 and confirmed that CVE-2026-35273, a pre-authentication remote code execution flaw with a CVSS base score of 9.8 in the Updates Environment Management component (PSEMHUB) of Oracle PeopleSoft Enterprise PeopleTools, was live in the wild from approximately May 27 through June 9, 2026, with Oracle finally publishing an emergency out-of-band security alert on June 10. The attack chain needs nothing more than HTTP access to PSEMHUB; no credentials, no user interaction, no prior foothold elsewhere on the network. By the time the patch reached customers, the group was claiming 100 plus breached organizations across roughly 300 internet-accessible instances, and the University of Nottingham had publicly confirmed the loss of 40 GB of student and billing data.

The post-exploitation tradecraft is what makes this campaign uncomfortable for defenders. Mandiant observed attackers planting custom MeshCentral agents on compromised servers and styling those agents to look like routine cloud endpoint check-ins, which lets the C2 traffic blend into the kind of vendor noise nobody dares to alert on. Once a server falls, automated SSH credential-spraying scripts walk laterally through whatever the box can reach, and operators stage Rclone for bulk exfiltration of student records, billing systems, and internal documents. The geographic concentration is striking: roughly 68 percent of confirmed victims sit inside US higher education, which is exactly the sector that runs ERP-class PeopleSoft on its most sensitive student information systems, according to SecurityWeek's reporting on the Mandiant attribution.

The Detection Gap Blue Teams Walked Into

Most blue teams will not catch this on the way in. The exploit traffic is unauthenticated HTTP to a legitimate management endpoint, so it looks indistinguishable from a healthy PSEMHUB poll request unless detection content is tuned to the specific request shape Mandiant published. WAF coverage in front of internal admin services is thin in higher education, where PeopleSoft tends to sit behind a vanilla load balancer with the management ports exposed to the internet for the convenience of integration partners. Endpoint telemetry is the next gap, because MeshCentral has legitimate enterprise use and many EDR baselines treat it as a benign remote management agent rather than a C2 beacon. The same is true for Rclone, which shows up regularly in legitimate backup and sync workflows and rarely fires an alert on its own.

The defacement markers and dropped scripts do give defenders a real, durable signal once they know to look. Per the Help Net Security write-up, the campaign drops files in WebLogic and Process Scheduler directories and stages payloads under /tmp on the application server, which is exactly the kind of behavior a baseline of trusted PeopleSoft writes is built to catch when the baseline actually exists. Authentication telemetry is the other durable signal: the SSH credential-spraying scripts generate dense bursts of failed and successful auth attempts from a single source across many internal hosts, and that pattern survives any attempt by the attacker to dress up the agent traffic to look benign.

Operationalize the Response in Parallel

Stand up a response that runs the major actions in parallel rather than one ticket at a time. Exposure mapping comes first, covering every PeopleSoft Enterprise PeopleTools instance, whether owned by central IT or by a college department running its own ERP, with particular attention to which of those instances has PSEMHUB reachable from the internet or from any untrusted segment. Patching runs alongside, applied per the Oracle Security Alert published June 10, 2026, with network access to the Updates Environment Management service restricted to known administrative ranges until the patch is verified on every host. Retrospective hunting against logs back to May 27 should run in parallel with the patch work, looking for anomalous file writes under /tmp and inside WebLogic and Process Scheduler directories, unexpected MeshCentral or Rclone processes on PeopleSoft hosts, and bursts of internal SSH activity originating from any PeopleSoft application server. Credential and token rotation closes the loop on every account that could have been harvested from a potentially compromised box, because the attackers were specifically interested in pivot material that would carry them into adjacent systems.

MITRE ATT&CK mapping helps detection engineering hit the right surfaces. The initial PSEMHUB exploit maps to T1190 (Exploit Public-Facing Application), so WAF inspection of inbound HTTP to management endpoints is the cheapest place to catch the technique before downstream telemetry has to do the work. For the MeshCentral C2 stage, which falls under T1219 (Remote Access Software), an EDR rule that flags MeshCentral installation paths and outbound connections on any host not on the explicit allowlist will surface the install reliably. Authentication logs catch the SSH credential spraying step, which lands at T1110.003 (Password Spraying), when the threshold is tuned low enough to see bursts of failed and successful auth from one source against many internal hosts inside a tight window. As for the Rclone exfiltration, which sits at T1567.002 (Exfiltration to Cloud Storage), defenders can pick up either the process on the host or a sustained outbound traffic pattern toward object storage providers, depending on whichever telemetry source already has the best fidelity in the environment.

Where Automation Earns Its Keep

BlueTeamAutomation runs the entire blue-team workflow against the exact class of threat this campaign represents. Our breach and attack simulation product, BASzy, ships emulations for unauthenticated web exploits, MeshCentral-style remote access C2, SSH password spraying, and Rclone exfiltration to cloud storage, which means a team can validate end-to-end coverage of the Oracle PeopleSoft kill chain before the next zero-day in this category lands rather than guessing at it. CVEasy ingests asset and vulnerability data continuously and applies our TRIS v2 risk scoring so that a PeopleSoft instance exposed to the internet rises to the top of the queue the moment a CVE this serious is added to the catalog, with the patch evidence captured for audit on the way through.

The SAFEty Guard EDR agent and the firewall product extend the same coverage into endpoint and network policy enforcement, catching the MeshCentral install and the SSH spray as they happen rather than after a backup tape is mailed in. SIEM correlation rules stitch the WAF, EDR, authentication, and network telemetry into a single incident view, and SOAR-driven response runs the isolate-and-rotate playbook automatically once the correlated indicators trip a threshold the security team has previously tuned. Every action is logged into compliance evidence for SOC 2, ISO 27001, HIPAA, and the higher education frameworks that govern student data, so the team finishes the incident with the artifact trail an auditor actually needs to see.

The Oracle PeopleSoft campaign is a reminder that patching is rarely the slowest part of incident response. Coordination across detection content, asset inventory, endpoint policy, and credential hygiene is what eats the calendar, and automating that coordination is what separates a security team that catches the second wave of attackers from one that finds out about the first wave from a breach disclosure form six weeks later.