ShinyHunters (UNC6240) spent two weeks exploiting an unauthenticated remote code execution vulnerability in Oracle PeopleSoft before Oracle published an advisory or patch, compromising more than 100 organisations across higher education, healthcare, and government. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog on 12 June 2026. The University of Nottingham has confirmed a breach affecting over 450,000 current and former students — one of the largest UK university data exposures on record.
The Vulnerability
CVE-2026-35273 is a CVSS 9.8 unauthenticated remote code execution vulnerability in the PeopleSoft Environment Management Hub (EMHub) — a backend component that orchestrates agents across PeopleSoft environments. An attacker with HTTP network access can send a crafted request to EMHub, chain a gadget sequence combining the zero-day with older deserialization weaknesses, and achieve full server takeover with no credentials and no user interaction required.
Mandiant published its attribution report on 11 June 2026, documenting active exploitation by UNC6240 (ShinyHunters) from 27 May through 9 June 2026 — a 14-day zero-day window during which Oracle had issued no advisory, no patch, and no mitigation guidance. The out-of-band security alert and patch followed only after mass exploitation was already underway. Affected versions are PeopleSoft Enterprise PeopleTools 8.61 and 8.62.
Scope and Targeting
ShinyHunters targeted over 300 internet-facing PeopleSoft instances and successfully breached organisations across more than 100 entities. Mandiant’s data shows 68% of notified victims are universities — a concentration driven by PeopleSoft’s dominance as the ERP and student information system backbone for higher education institutions globally. The University of Nottingham disclosed a breach affecting the personal data and academic records of approximately 450,000 students, with ShinyHunters publishing tens of gigabytes of stolen records on their extortion platform.
The remaining 32% of victims span healthcare systems, local government, and financial services organisations — sectors where PeopleSoft is widely deployed for HR, finance, and supply chain management. ShinyHunters’ operational model is data theft followed by extortion: access is monetised through public data dumps when ransom negotiations fail, as seen in previous campaigns against DentaQuest (2.6 million healthcare records) and Charter Communications.
Why PeopleSoft Environments Are Exposed
PeopleSoft deployments commonly have internet-facing management interfaces that accumulated without the hardening applied to consumer-facing systems. The EMHub component sits at the back-end of many institutional PeopleSoft environments without the same scrutiny applied to student or customer portals. Organisations running on-premises PeopleSoft also operate on update cycles driven by institutional IT capacity rather than security urgency — a structural lag that creates predictable zero-day windows when vendors like Oracle publish quarterly critical patch updates rather than responding to active exploitation.
Recommended Actions
Apply Oracle’s out-of-band patch immediately. Oracle issued emergency guidance via My Oracle Support following Mandiant’s disclosure. Do not wait for the next quarterly CPU cycle.
Audit internet-exposed PeopleSoft surfaces. Enumerate all externally reachable PeopleSoft interfaces, including EMHub, PIA web servers, and Integration Broker endpoints. Any component reachable from the internet without mandatory network-layer controls should be treated as a potential compromise vector during the exploitation window.
Forensic review for the May 27 – June 9 window. Any organisation running PeopleSoft Enterprise PeopleTools 8.61 or 8.62 with internet-facing exposure should treat this period as a potential breach window. Review web server logs for anomalous POST requests to EMHub endpoints, lateral movement from PeopleSoft service accounts, and bulk database queries or exports from PeopleSoft schemas.
Prepare for extortion contact. ShinyHunters’ standard operating procedure is to make contact weeks or months after the initial breach. Organisations that cannot rule out exposure during the zero-day window should brief legal and communications teams now rather than after an extortion demand arrives.
The 14-day undetected exploitation window before Oracle’s advisory reflects the structural risk of quarterly patch cadences when vulnerabilities are being actively weaponised. CISA’s KEV addition on 12 June should be treated as the floor, not the ceiling, of urgency.