How attackers used a university's own HR software to steal 450,000 student records before the vendor knew the door was open

The Context

Oracle PeopleSoft is one of the most widely deployed enterprise resource planning (ERP) platforms in the world. Universities use it to manage student records, financial aid, and enrollment. Corporations use it for HR, payroll, and supply chain operations. Because PeopleSoft holds some of the most sensitive data an organization collects—including Social Security numbers, salary information, passport details, and medical accommodation records—it has long been a high-value target. Most PeopleSoft deployments run on-premises, meaning the organization, not Oracle, is responsible for keeping the software patched and the network perimeter configured correctly.

The Attack, Phase by Phase

Phase 1: Building the Infrastructure

Before touching a single victim, ShinyHunters spent the evening of May 27, 2026 building their operational platform. Starting at 22:14 UTC, they configured five staging servers with sequential IP addresses (142.11.200.186 through 142.11.200.190) and installed MeshCentral, a legitimate open-source remote management tool, as their C2 platform. They then used an npm package called acme-client to provision SSL certificates from Let's Encrypt for a domain registered to mimic a Microsoft service: azurenetfiles.net. Pre-built remote management agents named meshagent64-azure-ops.exe were staged and hardcoded to call home to wss://azurenetfiles.net:443/agent.ashx.

The attackers left their staging directories publicly accessible. That mistake allowed Mandiant and Google's Threat Intelligence Group to recover identical .bash_history files from all five servers, reconstructing the entire operation in detail.

Phase 2: Exploiting the Zero-Day

The vulnerability, CVE-2026-35273, exploits a trust relationship between two PeopleSoft components that were never supposed to communicate across an untrusted network.

PeopleSoft exposes a public-facing endpoint at /PSIGW/HttpListeningConnector—the Integration Gateway, designed to accept inbound messages from external systems. Separately, an internal management component called the Environment Management Hub (PSEMHUB) is accessible at /PSEMHUB/hub. The PSEMHUB is supposed to be internal-only, protected by an IP allowlist.

The exploit works by sending a crafted request to the public Integration Gateway. The gateway relays that request internally to the PSEMHUB. Because the relay originates from the application server itself, the IP allowlist sees a trusted internal address and passes it through. The attacker has used the server as a proxy to reach a component never meant to be externally accessible.

That SSRF pivot is the first step. The second is what makes it dangerous. The relayed payload writes a malicious XML file into envmetadata/data/environment/. When the WebLogic application server restarts, a standard Java process called XMLDecoder reads that file and executes the embedded commands. No child process is spawned. No outbound connection is made. The code runs silently inside the JVM. Standard behavioral detection tools—built to flag patterns like "Java spawned a command shell"—see nothing.

Phase 3: Moving Through the Network

With a foothold established, attackers deployed their pre-built MeshCentral agents to compromised hosts, then read PeopleSoft's own configuration files to map the internal environment: psappsrv.cfg revealed machine names, IP addresses, and credentials; WebLogic's config.xml revealed connected systems; /etc/hosts revealed internal network topology.

A custom script named after each victim (e.g., [victim]_fanout.sh) was written to /tmp and used to spray common administrative passwords across internal PeopleSoft hosts. When password attempts failed, attackers tried SSH key-based authentication. Successful compromise was marked by dropping a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories.

Phase 4: Exfiltration and Extortion

Stolen data was compressed using zstd and exfiltrated via outbound SSH to servers linked to the ShinyHunters leak site. On June 9, 2026—one day before Oracle published its advisory—ShinyHunters began posting stolen data publicly. The University of Nottingham's 40 GB dataset, covering approximately 450,000 to 500,000 students across its UK, Malaysia, and China campuses, was among the first published.

What Made This Possible

1. An internal component trusted the application server unconditionally. The PSEMHUB's IP allowlist was designed to block external attackers—not to handle the case where the application server itself was being used as a relay. The trust boundary existed at the network layer but not the application layer.

2. The exploit produced no observable signal. Execution runs inside the JVM on a routine restart, with no child process and no outbound connection. The server looked normal right up until the attacker had already moved on.

3. Oracle's prior hardening did not cover this path. Oracle had previously added serialization filters to block deserialization attacks—but those filters covered a different code path. The XMLDecoder path was not included, meaning fully patched installations of PeopleTools 8.61 and 8.62 were vulnerable.

The systemic lesson: hardening one attack path does not close adjacent paths that share the same underlying trust model.

What Should Have Stopped This

Every effective control below sits at a layer the compromised application cannot influence.

• Network-layer isolation of management components. If /PSEMHUB/hub is unreachable from any host that can also reach /PSIGW/HttpListeningConnector, the SSRF pivot has nowhere to go. This is a firewall rule, not an application setting.
• Egress filtering on application servers. The exploit triggered outbound SMB connections (TCP 445) to attacker-controlled servers, potentially leaking Windows machine-account credentials. Blocking outbound SMB at the network layer cuts this exposure.
• File integrity monitoring on WebLogic directories. The attack writes a file to envmetadata/data/environment/ before execution. Monitoring that directory would flag the write before the next restart triggers it.
• Treating patch timing as an investigation trigger. Exploitation began May 27; the patch arrived June 10. Patching closes the door—it does not tell you whether someone already came through.

The Takeaway

ShinyHunters ran this campaign for two weeks before Oracle knew the vulnerability existed, compromised 300 systems at more than 100 organizations, and published stolen data before a patch was available—without nation-state resources, without breaking encryption, and without specialized access. They found a structural flaw in how two components of a widely deployed platform trusted each other and industrialized the exploitation.

This is the same failure class as the Stryker Intune wipe: a management component trusted by the platform it runs on, weaponized against the organization it was built to protect. The security boundary existed at the wrong layer.

Pattern to remember: When a public-facing integration endpoint and an internal management component share a network path, the management component's access controls are only as strong as the integration endpoint's ability to refuse malicious relay requests.

What changed: Attackers can now execute code silently inside enterprise Java applications by writing files the JVM reads on restart—producing no process, no beacon, and no log entry that behavioral detection is built to catch.

The Technical Mechanism

CVE-2026-35273 is a pre-authentication remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62. The exploit chain combines two weaknesses:

Link 1: SSRF via PSIGW (CWE-918)

The PeopleSoft Integration Gateway exposes /PSIGW/HttpListeningConnector as a public, unauthenticated HTTP endpoint. The gateway is designed to accept inbound integration messages and relay them to internal PeopleSoft components. An attacker sends a crafted HTTP POST to this endpoint with a destination targeting the internal Environment Management Hub servlet at /PSEMHUB/hub. The gateway relays the request as a loopback or internal connection. The PSEMHUB's validateClient() IP allowlist check evaluates the source as a trusted internal host and permits the request. The allowlist is enforced at the application layer and cannot distinguish between a legitimate internal relay and an attacker-controlled relay.

Link 2: Java XMLDecoder deserialization (CWE-502, contributing to CWE-306)

The SSRF-delivered payload writes a malicious XML serialization block to envmetadata/data/environment/ on the WebLogic server's filesystem. On the next WebLogic application server restart (which may be triggered by the attacker or occur on a scheduled basis), the server's startup routine invokes Java's XMLDecoder to parse environment metadata files in that directory. XMLDecoder converts XML representations back into Java objects and, when processing attacker-controlled XML, executes arbitrary OS commands inside the JVM. Because execution occurs within the existing JVM process on restart rather than through a spawned child process, it produces no process-creation event and requires no outbound network connection, bypassing behavioral detection rules that monitor for patterns such as java.exe spawning cmd.exe or bash.

TrendMicro's Zero Day Initiative notes that Oracle's prior serialization-filter hardening addressed a different deserialization code path and did not cover XMLDecoder, leaving fully patched PeopleTools 8.61 and 8.62 installations vulnerable.

A secondary consequence: the exploit chain may trigger outbound SMB connections (TCP port 445) to attacker-controlled external hosts, potentially capturing Windows machine-account NetNTLM hashes via an NTLM relay or capture attack.

The /PSIGW/HttpListeningConnector path has a documented exploitation history: it appears in the CVE-2013-3821 exploit chain documented by Lexfo in 2017, and the adjacent PeopleSoftServiceListeningConnector under the same /PSIGW/ path was targeted by CVE-2017-3548 (XXE injection). ShinyHunters chained knowledge of these older gadget paths with the new zero-day.

CVE and Advisories

• CVE-2026-35273: Oracle PeopleSoft Enterprise PeopleTools pre-authentication RCE. CVSS 9.8 (Critical). Affects PeopleTools 8.61 and 8.62.
• Oracle Security Alert Advisory for CVE-2026-35273: Out-of-band advisory and emergency patch published June 10, 2026. Oracle credits Bobby Gould of TrendAI Zero Day Initiative.
• CISA KEV entry: Added June 12, 2026 under Binding Operational Directive 26-04. Federal remediation deadline: June 15, 2026.
• Related historical CVEs in the same attack surface: CVE-2013-3821 (PSIGW deserialization), CVE-2017-3548 (PSIGW XXE injection).

MITRE ATT&CK Mapping

Indicators of Compromise

Network Indicators

• Staging IP range: 142.11.200.186 through 142.11.200.190 (Python SimpleHTTP servers on port 8888)
• C2 domain: azurenetfiles.net
• C2 WebSocket endpoint: wss://azurenetfiles.net:443/agent.ashx
• Outbound SMB (TCP port 445) connections to external destinations from PeopleSoft application servers

File Indicators

• meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe (MeshCentral agents hardcoded to C2)
• /tmp/[victim_abbreviation]_fanout.sh (victim-specific SSH spraying script)
• README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in WebLogic and Process Scheduler directories
• Unexpected XML files in envmetadata/data/environment/ directory

Detection Notes

The execution step (XMLDecoder parsing on WebLogic restart) produces no child process and no outbound beacon. Behavioral detection tools that rely on process-creation events will not flag the execution itself. File integrity monitoring on envmetadata/data/environment/ is the most reliable pre-execution detection control. Post-exploitation MeshCentral traffic to azurenetfiles.net on port 443 may appear as legitimate HTTPS to network monitoring tools without TLS inspection.

Attribution

Mandiant and Google Threat Intelligence Group (GTIG) attribute the campaign with high confidence to UNC6240, their tracking cluster for ShinyHunters. TrendMicro's Zero Day Initiative refers to the same cluster as SHADOW-AETHER-015. ShinyHunters is a financially motivated, English-speaking, multi-national cybercrime collective active since 2020, with no confirmed nation-state sponsorship. The group operates within "The Com," a constellation of cybercrime-focused Discord and Telegram communities.

Attribution confidence is high. GTIG recovered identical .bash_history files from all five exposed staging servers, providing a complete operational record. Mandiant CTO Charles Carmakal confirmed active exploitation via LinkedIn on June 11, 2026.

Prior ShinyHunters campaigns include the 2024 Snowflake credential-stuffing campaign (165+ customers including Ticketmaster, AT&T, and Santander), the 2025 Salesforce vishing campaign (1.5 billion records claimed), and the 2026 Instructure Canvas breach. The PeopleSoft campaign represents a tactical escalation from social engineering and credential abuse to server-side zero-day exploitation of on-premises ERP software.

Primary Sources