Ethical Hacking News
The ShinyHunters campaign exploits a zero-day vulnerability in Oracle PeopleSoft Enterprise PeopleTools, leaving organizations vulnerable to attack. The attackers target universities and colleges with 68% of those affected being institutions in the US. Experts advise that organizations take immediate action to address this vulnerability and prioritize isolation, patching, or blocking access to specific directories.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2026-35273, is located in the Environment Management component of Oracle PeopleSoft Enterprise PeopleTools and can be exploited without authentication or user interaction. A zero-day exploit was used during May 27 - June 9, 2026, targeting universities and colleges, with an estimated 68% of affected organizations being institutions in the United States. The attackers left their staging infrastructure exposed, allowing researchers to gather detailed information about the operation. Researchers discovered that the agents were hardcoded to establish communication with a command and control server, indicating a potential for further attacks. The attackers used MeshCentral and acme-client to automate Let’s Encrypt SSL certificate provisioning and execute commands on compromised endpoints. The attackers performed lateral movement through scripts and exfiltrated data via SSH connections to a public mirror of the ShinyHunters data leak site. CISA urges federal agencies to address this vulnerability by June 15, 2026, and recommends that private organizations review their infrastructure and disable or remove affected services.
The recent addition of Oracle PeopleSoft Enterprise PeopleTools to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlights a critical remote code execution vulnerability with a CVSS score of 9.8. This flaw, tracked as CVE-2026-35273, is particularly concerning due to its potential impact on organizations running Oracle PeopleSoft applications.
Oracle PeopleSoft Enterprise PeopleTools is the underlying technology platform used to build, run, administer, and customize Oracle PeopleSoft applications. The vulnerability CVE-2026-35273 is located in the Environment Management component of the platform. This flaw allows attackers to execute arbitrary code remotely without requiring authentication or user interaction. As long as an attacker can gain network access to the Environment Management Hub endpoint, they can take control of the server.
The ShinyHunters campaign was identified by Mandiant and Google's Threat Intelligence Group. The attack activity took place between May 27, 2026, and June 9, 2026. Notably, this timing means that organizations affected during these two weeks were dealing with a zero-day exploit, a flaw with no available patch or official vendor warning. An estimated sixty-eight percent of the more than one hundred organizations Mandiant notified were universities and colleges, mostly in the United States.
Mandiant identified an active ShinyHunters campaign targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and aligns with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability in the Environment Management component.
The attackers left their staging infrastructure exposed, which allowed Mandiant researchers to get a detailed look at the operation. This staging infrastructure included pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services and contained a shared .bash_history file that laid out the entire operation in timestamped detail.
Researchers also discovered that static analysis indicates these agents were hardcoded to establish communication with the command and control server wss://azurenetfiles.net:443/agent.ashx, which is located on a domain that appeared to be similar to Microsoft Azure NetApp Files.
The attackers started by installing MeshCentral version 1.1.59 on compromised hosts, followed by the installation of acme-client for automation of Let’s Encrypt SSL certificate provisioning for azurenetfiles.net, and then the use of MeshCentral's CLI tool meshctrl.js to run commands on compromised endpoints. This involved mapping Oracle PeopleSoft configurations, reading process scheduler config files, parsing internal host tables, and inspecting WebLogic XML configs to identify additional targets within each victim network.
Attackers also performed lateral movement through a script named [victim_abbreviation]_fanout.sh, written directly to /tmp on compromised hosts and executed remotely via MeshCentral. The script parsed /etc/hosts for internal PeopleSoft node hostnames and then sprayed a hardcoded list of usernames and passwords against each one over SSH.
Once successful login was achieved, the attackers copied a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories, both as an extortion marker and as a propagation confirmation that the operators could verify remotely. The attackers then exfiltrated data compressed with zstd followed by an outbound SSH connection to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters data leak site.
The University of Nottingham is among the first confirmed victims. A total of approximately 455,000 unique email addresses from leaked data have been indexed by Have I Been Pwned, covering current students and alumni, along with names, addresses, phone numbers, passport numbers, and records on ethnicity and disabilities. ShinyHunters has said that victim outreach has only just started, and most compromised organizations haven’t been posted yet.
CISA urges federal agencies to address this vulnerability by June 15, 2026, and recommends that private organizations review the catalog and address vulnerabilities in their infrastructure. Experts also advise that Organizations disable the Environment Management Hub service entirely on multi-server setups or remove PSEMHUB application on single-server setups if neither is possible.
Related Information:
https://www.ethicalhackingnews.com/articles/The-ShinyHunters-Campaign-A-Zero-Day-Exploit-of-Oracle-PeopleSoft-Enterprise-PeopleTools-Vulnerability-ehn.shtml
https://securityaffairs.com/193574/security/u-s-cisa-adds-oracle-peoplesoft-enterprise-peopletools-flaw-to-its-known-exploited-vulnerabilities-catalog.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Published: Sat Jun 13 05:09:08 2026 by llama3.2 3B Q4_K_M
