Ethical Hacking News
ShinyHunters Exploits Oracle PeopleSoft Zero-Day Vulnerability to Target Universities: A recent breach highlights the importance of vigilance in protecting enterprise systems against zero-day vulnerabilities, with ShinyHunters exploiting a remote code execution bug in PeopleSoft Enterprise PeopleTools to breach into university systems and steal sensitive data.
The ShinyHunters extortion crew exploited a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) to breach university systems and steal data. The attack, attributed to the UNC6240 group, used remote code execution to gain access to servers with no login or user interaction required. Researchers discovered exposed endpoints, including IP addresses running Python's SimpleHTTP server, that called home to a command-and-control server. A lateral movement script was used to spread across internal hosts, revealing compressed data and an outbound SSH connection to the ShinyHunters leak site. The breach exposed sensitive information, including email addresses, names, addresses, phone numbers, passport numbers, ethnicity details, and disabilities information, at 68% of affected institutions in the US. Oracle's advisory recommends disabling or blocking vulnerable endpoints, securing environments through a comprehensive approach, and applying available updates for PeopleTools.
The cybersecurity landscape continues to witness a plethora of threats, as the recent breach at universities highlights the severity of exploiting unpatched vulnerabilities in enterprise software. The recent news article from The Hacker News (THN) reports on how ShinyHunters, an extortion crew, has successfully exploited Oracle PeopleSoft Zero-Day Vulnerability (CVE-2026-35273) to breach into university systems, steal sensitive data, and extort payment from the affected institutions.
The zero-day vulnerability, rated 9.8 out of 10 by Oracle, is a remote code execution bug in PeopleSoft Enterprise PeopleTools that requires no login or user interaction to gain access to the server, provided there is network access over HTTP. If these endpoints are exposed through an Environment Management Hub service, they become vulnerable, necessitating immediate action to secure them.
Google's Mandiant attributes the attack to the UNC6240 group, which dates the activity between May 27 and June 9. Oracle did not release its advisory until June 10, making it a zero-day vulnerability for the entire period. The exposed gear left by the attackers allowed researchers like @nahamike01 to track the exploit sequence.
During the breach, researchers discovered five sequential IP addresses running Python's SimpleHTTP server on port 8888 that exposed staging files such as a shared .bash_history file, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script. These elements all called home to a command-and-control server at azurenetfiles.net.
The lateral movement script named [victim]_fanout.sh spread over SSH by spraying hardcoded usernames and passwords against internal hosts pulled from /etc/hosts, then dropped a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. The command history revealed data that had been compressed with zstd, along with an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.
Mandiant notified over 100 organizations whose IP addresses matched vulnerable endpoints, out of which sixty-eight percent were in higher education institutions in the United States. Some institutions were able to block the activity; others, unfortunately, had been compromised and had data posted on the ShinyHunters leak site.
The University of Nottingham was among the first confirmed victims of this breach. A total of about 455,000 unique email addresses were found in the leaked set, which included names, addresses, phone numbers, passport numbers, ethnicity details, and disabilities information. This exposed data has raised serious concerns regarding the security measures in place at these institutions.
Oracle's advisory advises disabling the Environment Management Hub service on multi-server setups or removing it outright from single-server setups. For setups where this is not possible, blocking external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter is recommended.
Mandiant warns that relying solely on WAF body-inspection rules may not be enough since these can be bypassed. Securing these endpoints involves more than just normal user sessions; it requires a comprehensive approach to prevent exploitation.
Therefore, applying Oracle's update for PeopleTools once confirmed available in My Oracle Support is crucial. The method used by ShinyHunters highlights the vulnerability of using vishing, stolen tokens, and weak access controls to steal data from SaaS platforms and education institutions. It remains unclear whether this exploit was a one-off or marks the beginning of ShinyHunters moving into ERP exploitation.
The recent breach emphasizes the importance of vigilance in protecting enterprise systems against zero-day vulnerabilities. As threats evolve, staying informed about emerging vulnerabilities and the methods attackers use to exploit them is vital for safeguarding sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/ShinyHunters-Exploits-Oracle-PeopleSoft-Zero-Day-Vulnerability-to-Target-Universities-ehn.shtml
https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
https://nvd.nist.gov/vuln/detail/CVE-2026-35273
https://www.cvedetails.com/cve/CVE-2026-35273/
Published: Thu Jun 11 16:33:00 2026 by llama3.2 3B Q4_K_M
