Oracle PeopleSoft Zero-Day CVE-2026-35273: ShinyHunters Was Gone Before the Advisory

The data was on the leak site on June 9. Oracle's advisory came out on June 10. For most of the hundred-plus organizations affected, the first reliable signal that something was wrong arrived not from their SIEM, not from their EDR console, and not from Oracle — it arrived as an email from Google's Threat Intelligence Group telling them their IP correlated with a compromised PeopleSoft endpoint. By then ShinyHunters had been inside, on and off, since May 27. The exploit was a clean unauthenticated remote code execution. The dwell was roughly two weeks. The detection, for nearly everyone, was external.

That sequence — exploited as a zero-day, exfiltrated, published, then disclosed — is what makes CVE-2026-35273 worth writing about. Not the bug itself, which is a textbook deserialization-class RCE. The story is the gap between the moment the data left and the moment anyone with an obligation to report it found out.

What CVE-2026-35273 actually is

The flaw lives in the Environment Management Hub (EMHub) of Oracle PeopleSoft PeopleTools, the component that brokers configuration metadata between PeopleSoft environments. Oracle's June 10 Security Alert rates it CVSS 9.8 and lists PeopleTools 8.61 and 8.62 as affected. It is unauthenticated, network-reachable, and — per Google Mandiant's analysis — exploitable through two endpoints that a lot of PeopleSoft deployments expose to the internet without thinking about it: /PSEMHUB/hub and /PSIGW/HttpListeningConnector.

The mechanism is the depressingly familiar one. A crafted POST reaches an endpoint that hands attacker-controlled input to a Java XMLDecoder path with no validation, and the decoder happily instantiates whatever the attacker serializes. From there it is code execution as the application user. The interesting part for a defender is not the primitive — it is that the EMHub service exists, is often externally reachable, and is almost never in scope when someone draws the PeopleSoft "attack surface" on a whiteboard. It is plumbing. Plumbing is where zero-days live.

How ShinyHunters ran the PeopleSoft zero-day

Google's Threat Intelligence Group tracks the actor as UNC6240, the cluster publicly branded ShinyHunters, and dates the activity from May 27 to June 9, 2026. The chain Mandiant reconstructed is worth reading as a sequence, because every stage is a place a defender could have caught it and mostly didn't:

Stage	What happened	What it touched
Initial access	Unauth RCE via /PSEMHUB/hub	WebLogic access logs
Persistence	JSP webshells under PSEMHUB.war/, XMLDecoder objects in envmetadata	Filesystem
C2	MeshCentral agents beaconing to azurenetfiles.net over wss://…:443	Outbound TLS
Lateral movement	[victim]_fanout.sh, SMB to internal hosts	TCP 445
Collection	Staging on Python SimpleHTTP servers (port 8888)	Internal HTTP
Exfiltration	zstd -3 compression, then outbound SSH to 176.120.22.24	TCP 22 egress

The C2 domain — azurenetfiles.net, masquerading as Microsoft Azure NetApp Files — is the kind of name that survives a casual glance at a proxy log. The remote-access tooling was MeshCentral, a legitimate open-source RMM, signed and behaving like an admin tool. The exfiltration was an zstd-compressed archive pushed over SSH to a single never-before-seen IP. None of that trips a signature. All of it is loud on the wire if anything is actually modeling the wire.

"Show me the firewall rule that blocks an outbound SSH session to an IP you've never talked to before, carrying a compressed archive, from a server whose entire job is to sit still and serve HR records."

Most networks don't have that rule. They have an allow-list for what's forbidden, not a model of what's normal.

The detection gap: why 100 organizations found out from Google

Here is the number that should bother every security leader reading this: Google notified over 100 organizations. That phrasing is doing a lot of work. It means those organizations did not detect the intrusion themselves. The exfiltration — gigabytes of PII compressed and shipped over SSH — completed without an internal alarm in the overwhelming majority of cases. The University of Nottingham alone lost roughly 40 GB covering personal and billing data for hundreds of thousands of current and former students.

This is the canonical detection blind spot, and it has nothing to do with the CVE being novel. The CVE was a delivery mechanism. The reason the breach was silent is that the post-exploitation lived entirely in traffic patterns that signature-based EDR and NDR are structurally bad at:

• An RMM agent (MeshCentral) that is supposed to beacon out.
• A C2 domain that looks like cloud storage.
• Exfiltration over SSH, encrypted, to an IP nobody flagged because nobody had a baseline of who this server normally talks to.
• Lateral movement over SMB inside a flat network where SMB is everywhere.

The endpoint agents didn't fire because nothing on the endpoint looked like malware. The pattern was anomalous, not malicious-by-signature — and "anomalous outbound volume on a host that historically only ingests" is exactly the class of event that never makes it into a rule because no human writes that rule for every host.

The real clock isn't the patch SLA — it's the reporting clock

Patch CVE-2026-35273 and you've closed the door the attacker already walked through. That's necessary and it's also not the hard part. For the regulated entities in this campaign — and universities increasingly are regulated entities — the moment Google's notification lands, a different and much less forgiving clock starts.

Under GDPR Article 33, a controller has 72 hours from becoming aware of a personal-data breach to notify the supervisory authority. Under NIS2, essential and important entities owe an early warning within 24 hours and a fuller notification within 72. Many European universities and research institutions fall under NIS2's research and education scope in their national transpositions, and almost all of them are GDPR controllers for vast quantities of student PII. So the operational question on June 11 was not "how do we patch" — it was:

• What personal data categories were in the exfiltrated archive?
• When exactly did the exfiltration occur, and over how long?
• Whose records — current students, alumni, applicants, staff?
• And critically: can we prove any of those answers, or are we reconstructing them from gaps?

That last question is where most breach responses fall apart. The 72-hour notification is not penalized for being bad news. It is penalized for being absent, late, or — worse in an audit — contradicted later because the initial scope was guessed. An organization that cannot produce a defensible, timestamped account of what left the network is forced to choose between under-reporting (a compliance failure) and over-reporting to every data subject (a reputational and legal one). The Coupang and Kyushu Electric disclosures the same week are a reminder that the regulator's first question is never "were you breached" — it's "what can you show me."

Auditor: "You reported 450,000 affected students. How did you arrive at that figure?"

Respondent: "That's the size of the table in the system they reached."

Auditor: "That's the size of what they could have taken. I'm asking what they did take. Do you have the egress record?"

If the answer to the last question is "no," the breach is now also an evidence problem, and the evidence problem outlives the patch by years — through the regulator's inquiry, the data-subject claims, and the cyber-insurance adjustment.

Higher education is the soft target with the hard obligations

ShinyHunters did not target universities by accident. 68% of the affected organizations were in higher education. The sector is a structural sweet spot: PeopleSoft is the de-facto ERP for student information, HR, and finance across enormous swaths of the education world; the deployments are old, federated, and frequently internet-exposed for remote campus access; and security teams are lean relative to the size of the PII estate they sit on. A single PeopleSoft compromise yields decades of student records — exactly the data that monetizes on a leak site and exactly the data whose loss triggers the heaviest notification obligations.

The combination is brutal: the highest-value PII, the thinnest detection coverage, and now a regulatory frame (NIS2 plus GDPR) that assumes you can account for what happened. That assumption is the gap this campaign exposed.

Where Zero Hunt fits the scenario

The reporting clock is unforgiving precisely because the evidence is usually missing. Zero Hunt's Automatic Compliance pillar is built for the moment after the notification lands. Every finding, scan, and remediation is continuously mapped against 32 frameworks — GDPR, NIS2 (including Title 13), ISO 27001 and the rest — with cross-framework control mapping, so a single PeopleSoft-exposure finding lands simultaneously in your GDPR Article 32 posture, your NIS2 essential-entity obligations, and your ISO audit, instead of being re-litigated three times. Each record is ECDSA-signed at write time with chain-of-custody by construction, which is the difference between telling a regulator "we believe 450,000 records" and handing them a verifiable, timestamped account through the Trust Center — the one-click, auditor-ready export that turns the 72-hour scramble into a retrieval.

But the evidence has to exist before it can be signed, and that is where the AI Traffic Analysis pillar answers the part of this campaign that made it silent. Zero Hunt runs a proprietary deep-learning model with four parallel inference heads — suspicious traffic, malware classification, attack-type identification, application fingerprinting — trained on billions of PCAP sequences and running locally on the appliance GPU at 2.7+ Gbit/s. The exact sequence that emptied a hundred PeopleSoft servers — a host that historically only ingests suddenly opening an outbound SSH session to a never-seen IP, carrying a zstd-compressed archive, after a burst of internal SMB fan-out — is the behavioral signature the model is built to flag while it is happening, not in the next morning's SIEM digest. That is the egress record the auditor asks for. And the generative pentest pillar is what finds the exposed /PSEMHUB/hub on your perimeter, in a change-triggered campaign, before ShinyHunters runs the same scan you didn't.

A patch closes CVE-2026-35273. It does not answer the regulator. The organizations that came out of this campaign cleanest will be the ones who could say, on the wire and in the audit log, exactly what left — and prove it.

See how continuous compliance evidence and wire-speed traffic analysis fit together on the Zero Hunt platform, or get in touch.