general · TheHackerNews
The ShinyHunters extortion crew exploited an unpatched zero-day vulnerability in Oracle PeopleSoft's Environment Management Hub to breach enterprise systems between late May and early June 2026. The flaw, CVE-2026-35273, is a remote code execution bug in PeopleTools 8.61 and 8.62 rated 9.8/10 that requires only network access over HTTP—no login or user interaction needed. Google Mandiant attributes the campaign to the group it tracks as UNC6240. Oracle published its advisory on June 10, after the vulnerability had been actively exploited in the wild. The attackers staged data using exposed servers, deployed custom remote-management agents disguised as Microsoft binaries, and spread laterally via SSH credential spraying. Mandiant notified over 100 affected organizations; approximately 68% were higher-education institutions in the United States. The University of Nottingham is a confirmed victim, with roughly 455,000 unique email addresses exposed, including personal data such as names, addresses, passport numbers, and ethnicity information.
For regulated organizations running Oracle PeopleSoft—particularly healthcare providers and defense contractors managing sensitive data—this incident underscores the risk of unpatched, internet-reachable administrative interfaces. Healthcare organizations subject to HIPAA and defense contractors handling CUI should immediately audit their PeopleSoft deployments to ensure the Environment Management Hub is not accessible from untrusted networks; failure to restrict access to legacy ERP systems is a common gap in NIST 800-171 and CMMC compliance postures. Institutions should follow Oracle's mitigation guidance (network restrictions, log monitoring for suspicious WebLogic activity, and hunting for JSP web shells) while awaiting patch availability. An Omniware engagement can scope the exposure assessment, validate compensating controls, and align remediation with your compliance framework.
Source: The Hacker News - https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-Source: TheHackerNewsAll briefings
Source: TheHackerNews
All briefings