The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Oracle PeopleSoft Enterprise PeopleTools flaw, tracked as CVE-2026-35273 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.
Oracle PeopleSoft Enterprise PeopleTools is the underlying technology platform used to build, run, administer, and customize Oracle PeopleSoft applications.
The flaw CVE-2026-35273 is a remote code execution vulnerability in Oracle PeopleSoft’s Environment Management component. No authentication required. No user interaction required. Just network access to the Environment Management Hub endpoint and you can take over the server.
This week, Mandiant and Google’s Threat Intelligence Group published an analysis of an active ShinyHunters campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited. The gap matters: the activity ran from May 27 to June 9, meaning every organization hit during those two weeks was dealing with a zero-day, a flaw with no available patch and no official vendor warning. Sixty-eight percent of the more than 100 organizations Mandiant notified were universities and colleges, most of them in the United States.
“Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.” reads the report published by Google. “The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle’s June 10, 2026 advisory, the vulnerability was exploited as a zero-day.”
PeopleTools versions 8.61 and 8.62 are confirmed affected; Oracle says earlier unsupported versions are likely vulnerable too.
The attackers left their staging infrastructure exposed, which is how Mandiant got a detailed look at the operation. Researcher @nahamike01 publicly flagged open directories on five sequential IP addresses, all running Python’s built-in HTTP server on port 8888. Mandiant triaged all five and found a shared .bash_history file, identical across every host, that laid out the entire operation in timestamped detail. If you’re going to run a sophisticated zero-day campaign against universities, at least password-protect your file server.
“The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe.” reads the report. “Static analysis indicates these agents were hardcoded to establish communication with the command and control (C2) server wss://azurenetfiles.net:443/agent.ashx.”
The domain was chosen to look like Microsoft Azure NetApp Files. MeshCentral is legitimate open-source remote management software, which means the traffic blends into normal administrative activity and doesn’t trigger obvious alerts.
The command history tells the full operational story. On May 27 at 22:14 UTC, the attackers installed MeshCentral version 1.1.59. Eleven minutes later they installed acme-client to automate Let’s Encrypt SSL certificate provisioning for azurenetfiles.net, giving their C2 a valid certificate. They then used MeshCentral’s CLI tool meshctrl.js to run commands on compromised endpoints: mapping Oracle PeopleSoft configurations, reading process scheduler config files, parsing internal host tables, and inspecting WebLogic XML configs to identify additional targets inside each victim network.
Attackers performed lateral movement through a script named [victim_abbreviation]_fanout.sh, written directly to /tmp on compromised hosts and executed remotely via MeshCentral. The script parses /etc/hosts for internal PeopleSoft node hostnames, then sprays a hardcoded list of usernames and passwords against each one over SSH. On successful login it copies a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories, both as an extortion marker and as a propagation confirmation the operators could verify remotely.
Exfiltration went out compressed with zstd, followed by an outbound SSH connection to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters data leak site.
The University of Nottingham is among the first confirmed victims. Have I Been Pwned has indexed approximately 455,000 unique email addresses from the leaked data, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and records on ethnicity and disabilities. ShinyHunters has said that victim outreach has only just started and most compromised organizations haven’t been posted yet.
For any organization running Oracle PeopleSoft right now, the immediate priority is isolation. Oracle’s guidance is to disable the Environment Management Hub service entirely on multi-server setups, or remove the PSEMHUB application on single-server setups. If neither is possible, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by June 15, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。