AINEWS
ShinyHunters claim 300 PeopleSoft instances hit via 9.8 unauthenticated RCE; Oracle patch still pending
Mandiant confirmed compromise at 100+ organizations, mostly US higher education, two weeks before Oracle's June 10 emergency mitigations.
Mandiant confirmed compromise at 100+ organizations, mostly US higher education, two weeks before Oracle's June 10 emergency mitigations.
The extortion group ShinyHunters says it stole data from roughly 300 Oracle PeopleSoft instances across more than 100 organizations, exploiting an unauthenticated remote code execution flaw scored 9.8 on CVSS, according to BleepingComputer. The campaign ran from May 27 through at least June 9, 2026, roughly two weeks before Oracle published its first advisory on the underlying flaw.
Mandiant and Google Threat Intelligence Group, tracking the activity as UNC6240, independently confirmed compromise at more than 100 organizations. About 68% of the exposed footprint sits in US higher education. The attackers reached internet-exposed PeopleSoft installations through the /PSEMHUB/ and /PSIGW/HttpListeningConnector endpoints, then dropped MeshCentral agents posing as Microsoft Azure components (C2 at azurenetfiles.net), a [victim]_fanout.sh lateral movement script, and JavaServer Pages webshells on adjacent WebLogic servers.
Oracle's June 10 Security Alert for CVE-2026-35273 shipped emergency, out-of-cycle mitigations for the PeopleTools Environment Management component, covering versions 8.61 and 8.62. A full patch has not yet been released. The vendor's alert does not state that the flaw was being actively exploited in the wild, even though BleepingComputer confirmed the campaign on June 9 with the gang on the record. A defender reading Oracle's alert alone would not have known the campaign was already two weeks old.
The tradecraft became visible to defenders on June 9, 2026, when independent researcher Michael R. (@nahamike01) discovered the attackers had left their tooling directories open on the public internet. Mandiant's triage of those paths produced a usable indicator list: source IPs 142.11.200.186 through 142.11.200.190, 108.174.202.99, and 176.120.22.24, the last one overlapping with public ShinyHunters data-leak infrastructure. The 9.8 score reflects the unauthenticated nature of the bug; no credentials are required to reach the vulnerable code path.
For defenders running PeopleSoft, the immediate checklist is concrete. Apply Oracle's emergency mitigations to every 8.61 and 8.62 instance and treat those systems as exposed until the full patch ships. Hunt network telemetry for traffic to and from the published attacker IPs and the azurenetfiles.net MeshCentral C2 domain. Audit /PSEMHUB/, /PSIGW/HttpListeningConnector, and adjacent WebLogic paths for the .jsp webshells Mandiant described, and search endpoint telemetry for fanout.sh execution. Rotate any credentials that touched the affected systems, and review logs for the broader UNC6240 pattern that has surfaced in prior Snowflake, Salesforce, Drift, and Instructure Canvas incidents. Until Oracle ships the real patch, the mitigations are the floor, not the ceiling.