ctipilot.ch

Home · Live brief · Daily brief 2026-06-13

Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest

critical vulnerability discovered 2026-06-13 05:00 UTC

Entities: ShinyHunters

Part of run 2026-06-13-40b26572 (intel · Claude Opus 4.8)

UPDATE — originally covered ShinyHunters Oracle PeopleSoft campaign: gadget-chain access, SSH default-credential lateral movement, mass exfiltration (2026-06-11)

UPDATE (originally covered 2026-06-11): Mandiant and Google GTIG formally attribute the PeopleSoft Environment Management Hub exploitation campaign to UNC6240 (ShinyHunters) and confirm the activity ran from 27 May to 9 June 2026 — predating Oracle's 10 June out-of-band advisory, establishing CVE-2026-35273 (CVSS 9.8) as a zero-day at time of exploitation (Mandiant/GTIG, 2026-06-11). The unauthenticated SSRF→RCE is reached via the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints in PeopleTools 8.61/8.62.

GTIG notified over 100 organisations whose endpoints correlated with exploitation; 68% are higher-education institutions. Post-exploitation, the actor deployed MeshCentral remote-management agents disguised as Azure binaries, used SSH fan-out scripts with PeopleSoft admin credentials for lateral movement, and exfiltrated to the ShinyHunters leak site (Rapid7, 2026-06-12). The University of Nottingham confirmed 454,600 student and alumni records were taken, including passport numbers (University of Nottingham; BleepingComputer, 2026-06-11). CISA added the CVE to KEV on 12 June. Swiss/EU universities running Campus Solutions should treat this as P1 (.

“The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component” — Mandiant/GTIG

“CVE-2026-35273 is a critical remote code execution vulnerability (CVSS 9.8) in Oracle PeopleTools versions 8.61 and 8.62 that exploits a server-side request forgery flaw in the Environment Management component” — Rapid7

Action items

  • Patch internet-exposed Oracle PeopleSoft (PeopleTools 8.61/8.62) now — CVE-2026-35273 is under active zero-day exploitation by ShinyHunters with ongoing victim acquisition in education. Apply Oracle's out-of-band fix, restrict /PSEMHUB/hub and /PSIGW/HttpListeningConnector to trusted admin subnets, rotate PeopleSoft admin credentials, and hunt for MeshCentral agents spawned by the app-server process and unexpected outbound SMB (.

Update chain

actively-exploited zero-day rce data-breach cisa-kev global europe switzerland uk CVE-2026-35273