Security Intelligence
Loading table of contents...
At a glance: ShinyHunters’ exploitation of Oracle PeopleSoft has now been confirmed to involve a zero‑day in the Environment Management Hub (EMHub) component of PeopleTools. Newly identified exploitation methods include the use of crafted EMHub requests for code execution, deployment of JSP webshells, modification of EMHub configuration files, and installation of MeshCentral agents for persistence and lateral movement. Defensive priorities include disabling EMHub where possible, applying the patch, reviewing logs for exploitation attempts, and removing persistence artifacts.
Threat summary
On June 11, 2026, Google Cloud Threat Intelligence and Mandiant confirmed that ShinyHunters (UNC6240) exploited a zero‑day vulnerability, tracked as CVE-2026-35273, in a ransomware campaign targeting Oracle PeopleSoft.
The vulnerability affects the Environment Management Hub (EMHub), a PeopleTools component responsible for environment synchronization and metadata management.
As part of the intrusion, the threat actors abused both EMHub and the PeopleSoft Integration Gateway (PSIGW). They sent crafted requests to EMHub endpoints to trigger the vulnerability and leveraged the PSIGW `/PSIGW/HttpListeningConnector` endpoint to relay and amplify those requests, enabling server-side request forgery and remote code execution.
Once inside, the actors deployed webshells, altered EMHub configuration files to execute code on restart, and created new directories to support staging and persistence. Mandiant also observed attempts to force outbound Server Message Block (SMB) traffic over TCP port 445 to attacker-controlled infrastructure, indicating efforts to capture credentials or establish secondary communication channels.
ShinyHunters deployed MeshCentral remote management agents, which provided persistent remote access and were used to move laterally using shared administrative credentials and predictable internal naming conventions.
Authentication logs from affected systems showed credential spraying and repeated access attempts across PeopleSoft nodes.
Oracle has confirmed that CVE-2026-35273 affects only the EMHub component in PeopleTools 8.61 and 8.62 and released a security alert on June 10 containing the required patch.
Analysis
Disabling the Environment Management Hub (EMHub) when it is not required, restricting it to internal administrative networks where required, and blocking external access to EMHub and PeopleSoft Integration Gateway (PSIGW) endpoints all limit exposure to CVE-2026-35273.
Organizations should apply CVE-2026-35273 patch immediately and ensure all PeopleSoft components are running supported versions. Applying Oracle Critical Patch Updates on schedule remains essential for maintaining a secure deployment and closing the underlying vulnerability.
Blocking outbound Server Message Block (SMB) traffic over TCP port 445 from PeopleSoft servers further reduces the risk of credential capture and unauthorized external connections. Organizations should also perform thorough log reviews, investigate suspicious POST requests to EMHub and PSIGW endpoints, and examine file systems for unauthorized JSP files, new directories, or modified configuration files.
Outbound traffic analysis and credential hardening are also required to identify and remove MeshCentral agents, compromised accounts, and other persistence mechanisms.
Only by combining these mitigations with comprehensive detection and cleanup efforts can organizations fully remediate this threat.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
