Oracle PeopleSoft PeopleTools PSEMHUB pre-auth RCE (CVSS 9.8), zero-day exploited by UNC6240/ShinyHunters

cve · CVE-2026-35273

Coverage timeline

first 2026-06-12 → last 2026-06-12

Briefs

1 distinct

Sources cited

13 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-06-12CTI Daily Brief — 2026-06-12

Source distribution

bleepingcomputer.com2 (12%)
oracle.com2 (12%)
attack.mitre.org2 (12%)
thehackernews.com2 (12%)
cloud.google.com1 (6%)
nottingham.ac.uk1 (6%)
securityweek.com1 (6%)
therecord.media1 (6%)
other5 (29%)

Related entities

ShinyHunters lists Charter Communications (Spectrum), claims 42M records; Charter denies sensitive PI/CPNI exfil
incidentitem:shinyhunters-charter-spectrum-listing-42m-claim×1
ShinyHunters Oracle PeopleSoft data-theft campaign (100+ orgs, ~300 instances, education-heavy; Univ. of Nottingham confirmed)
campaigncampaign:shinyhunters-peoplesoft-2026×1
ShinyHunters — financially motivated data-theft group
actoractor:ShinyHunters×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (17)

Items in briefs about Oracle PeopleSoft PeopleTools PSEMHUB pre-auth RCE (CVSS 9.8), zero-day exploited by UNC6240/ShinyHunters (1)

UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records

From CTI Daily Brief — 2026-06-12 · published 2026-06-12 · view item permalink →

UPDATE (originally covered 2026-06-11): the initial-access vector that was attacker-asserted yesterday is now vendor-confirmed: Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated RCE in the PeopleTools Environment Management Hub (PSEMHUB, versions 8.61/8.62), and published an out-of-band Security Alert with fixes (Oracle, 2026-06-10; SecurityWeek, 2026-06-11).

Mandiant GTIG formally attributes the campaign to UNC6240 (ShinyHunters), dating exploitation 27 May – 9 June — a zero-day for the full window — and details the post-exploitation chain: customised MeshCentral remote-management agents masquerading as Microsoft Azure components for persistence and C2, and a per-victim _fanout.sh lateral-movement script spraying SSH credentials against internal hosts harvested from /etc/hosts (T1190, T1021.004). Mandiant notified more than 100 organisations with exposed PSEMHUB endpoints; 68 % are higher-education institutions (Mandiant GTIG, 2026-06-11).

The University of Nottingham — confirmed as a victim yesterday — now quantifies the damage: roughly 40 GB exfiltrated covering ~455,000 individuals across its UK, Malaysia and China campuses, including names, contact details, ethnicity, disability, passport and tuition-payment data; the ICO says it is assessing the report (BleepingComputer, 2026-06-11; The Record, 2026-06-11; University of Nottingham, 2026-06-10). Action: see the § 0 callout — patch out-of-band and compromise-assess; yesterday's hardening guidance (default SSH service accounts, PSEMHUB exposure) stands.