Oracle PeopleSoft 0-Day RCE Exploited by Vulnerability Attacks

Mandiant and Google Threat Intelligence Group (GTIG) have issued a critical warning regarding an active compromise-and-extortion campaign. This operation targets Oracle PeopleSoft infrastructure and is attributed to the notorious threat actor UNC6240, also known as ShinyHunters.

The campaign exploited CVE-2026-35273, a critical unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8, as a zero-day before Oracle published its advisory on June 10, 2026.

The malicious activity was observed between May 27 and June 9, 2026, with attacks targeting the Environment Management Hub (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62.

Google Threat Intelligence Group notified over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints, with 68% of victims concentrated in the higher education sector, including universities and colleges worldwide.

The University of Nottingham confirmed unauthorized activity on its systems, with reports indicating approximately 40 gigabytes of stolen data, including student records, financial aid data, health records, and immigration details.

Oracle PeopleSoft 0-Day RCE Vulnerability

GTIG triaged five sequential attacker-controlled staging IP addresses, 142.11.200.186 through 142.11.200.190, each hosting a Python SimpleHTTP server on port 8888.

These exposed directory contents included attacker command histories, staging materials, and pre-configured MeshCentral remote management agents.

The Windows agent binaries were disguised as legitimate Microsoft Azure services (meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe) and hardcoded to establish C2 communications with wss://azurenetfiles.net:443/agent.ashx — a domain crafted to mimic legitimate Microsoft Azure NetApp Files endpoints.

The attackers established their staging environment on May 27, 2026, at 22:14 UTC by installing MeshCentral v1.1.59, followed at 22:25 UTC by the acme-client npm package to automate Let’s Encrypt SSL certificate provisioning for the masquerading domain.

Using the meshctrl.js CLI, they executed targeted reconnaissance commands on compromised hosts, mapping Oracle PeopleSoft configurations by inspecting psappsrv.cfg, auditing active NFS mounts, and reading WebLogic config.xml files to map internal application servers.

Lateral movement was automated via a custom propagation script [victim_abbreviation]_fanout.sh deployed to /tmp, which performed SSH credential spraying against internal hosts parsed from /etc/hosts.

Upon successful authentication, the script dropped a defacement and extortion marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories.

Exfiltrated data was compressed using zstd before the attackers established an outbound SSH connection to 176.120.22.24, the IP hosting the public mirror of the ShinyHunters Data Leak Site (DLS). Stolen data archives were published on the DLS on June 9, 2026.

Key IOCs

Organizations are strongly advised to apply Oracle’s emergency advisory for CVE-2026-35273 and remain on actively supported PeopleSoft versions with all Critical Patch Updates applied without delay.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.