UPDATE: Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest

UPDATE (originally covered 2026-06-11): Mandiant and Google GTIG formally attribute the PeopleSoft Environment Management Hub exploitation campaign to UNC6240 (ShinyHunters) and confirm the activity ran from 27 May to 9 June 2026 — predating Oracle's 10 June out-of-band advisory, establishing CVE-2026-35273 (CVSS 9.8) as a zero-day at time of exploitation (Mandiant/GTIG, 2026-06-11). The unauthenticated SSRF→RCE is reached via the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints in PeopleTools 8.61/8.62.

GTIG notified over 100 organisations whose endpoints correlated with exploitation; 68% are higher-education institutions. Post-exploitation, the actor deployed MeshCentral remote-management agents disguised as Azure binaries, used SSH fan-out scripts with PeopleSoft admin credentials for lateral movement, and exfiltrated to the ShinyHunters leak site (Rapid7, 2026-06-12). The University of Nottingham confirmed 454,600 student and alumni records were taken, including passport numbers (University of Nottingham; BleepingComputer, 2026-06-11). CISA added the CVE to KEV on 12 June. Swiss/EU universities running Campus Solutions should treat this as P1 (see § 0 Immediate Action and § 6).