A critical unauthenticated remote-code-execution flaw in Oracle PeopleSoft, tracked as CVE-2026-35273, was exploited as a zero-day between May 27 and June 9, 2026, enabling the ShinyHunters extortion group to compromise more than 100 enterprise and government organizations worldwide. Two confirmed high-profile victims, Nissan North America and the National Association of Insurance Commissioners (NAIC), illustrate the breadth of the campaign and the seriousness of the underlying attack surface.
The Vulnerability: CVSS 9.8, Pre-Authentication, HTTP-Exploitable
Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 contain a critical flaw in the Updates Environment Management component. The vulnerability allows an unauthenticated attacker to compromise the entire PeopleSoft environment via a standard HTTP request, requiring no credentials whatsoever. Oracle assigned it a CVSS 3.1 score of 9.8 (Critical), reflecting the combination of network-level access, no privilege requirement, and full confidentiality, integrity, and availability impact.
Oracle released emergency patches on June 10, 2026, after the zero-day exploitation window had already closed. CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities catalog with a mandatory remediation deadline of June 15, 2026, for federal civilian agencies under BOD 26-04.
Advertisement
300 × 250
A Two-Week Zero-Day Window
According to research published by Mandiant and the Google Threat Intelligence Group, ShinyHunters established staging infrastructure as early as May 27 and operated continuously until June 9, 2026, when open attacker directories were publicly reported and victim data appeared on the group’s Data Leak Site. The two-week window allowed systematic scanning and exploitation across exposed PeopleSoft instances, with US-based organizations as the primary target.
Mandiant’s analysis identified attack staging IP addresses in the 142.11.200.186 to 142.11.200.190 range and a command-and-control domain, azurenetfiles.net, designed to masquerade as Microsoft Azure NetApp Files naming conventions. Exfiltrated data was compressed using the zstd utility before being staged for transfer. Mandiant found that approximately 68 percent of successfully compromised organizations operated in the higher education sector, though the campaign extended materially into financial regulators and automotive manufacturers.
Nissan North America: Payroll and Identity Data Across Four Countries
Nissan disclosed the breach through a notification filed with the California Attorney General. According to that filing, threat actors accessed a range of sensitive employee data including contact information, banking and financial account details, Social Security numbers, Social Insurance numbers, National Identification numbers, tax records, and information about employee dependents and beneficiaries. The breach affects current and former Nissan employees across the United States, Canada, Mexico, and Brazil.
ShinyHunters claimed the campaign touched more than 300 PeopleSoft instances across 100 organizations. Mandiant independently confirmed that it notified more than 100 affected organizations during the investigation period, consistent with the scale the threat actor claimed.
NAIC: Insurance Regulatory Data at Risk, Scope Disputed
The National Association of Insurance Commissioners, which coordinates insurance oversight across all 50 US states and whose data systems are interlinked with financial filings from thousands of insurers, confirmed unauthorized access to its PeopleSoft environment on June 11, 2026. ShinyHunters subsequently published a claimed inventory of 3.1 terabytes of data comprising approximately 105,000 files, including regulatory filing documents from 2017 through 2024, infrastructure configuration files, and stored production credentials.
The NAIC disputed the severity of the exposure, stating that investigators found no evidence of personally identifiable information or financial data having been exposed, and characterizing the compromised materials as consisting primarily of already-public statutory reports, outdated logs, and configuration files. The organization published a security update on its website at content.naic.org/about/security-update.
Security leaders should note that this pattern of disputed scope is common in large-scale data extortion campaigns. Determining whether attacker-published archives are complete, partially redacted, or inflated in size requires detailed forensic review that can take weeks, leaving downstream partners and regulators uncertain about their own exposure in the interim.
ShinyHunters: A Broadening Target Profile
ShinyHunters is a financially motivated extortion group with a documented history of targeting cloud SaaS platforms. The group has previously compromised environments adjacent to Salesforce and Snowflake, and was linked to recent campaigns against educational software providers. The Oracle PeopleSoft campaign represents a meaningful expansion of the group’s target profile toward on-premises and hybrid enterprise HR and ERP systems that many security teams have historically treated as lower-risk than internet-facing web applications.
This broadening scope is consistent with a wider market shift among access brokers and extortion operators, who increasingly target the credential and identity data held in enterprise HR systems because it enables payroll diversion, targeted phishing, and downstream fraud at scale. CyberTech has previously covered how credential exposure from enterprise platforms feeds into ransomware access broker pipelines.
What This Means for the Security Leader
Verify patch status immediately
The June 15 CISA deadline was a federal mandate. Many enterprise organizations running PeopleTools 8.61 or 8.62 operate on longer patch cycles. Security teams should immediately confirm their PeopleSoft patch level against Oracle’s advisory. Any unpatched instance should be treated as potentially compromised and subjected to forensic review before returning to full operation.
Audit service accounts and integration credentials
ShinyHunters’ previous campaigns have leveraged dormant service accounts and integration tokens to maintain persistence after initial access is established. Organizations should conduct an immediate audit of all PeopleSoft service accounts, revoke credentials not actively required, and review access permissions granted to integration partners and vendors.
HR data breaches create immediate downstream fraud risk
Employee banking information, tax data, and government identification numbers enable payroll diversion attacks and highly targeted phishing against employees. Organizations confirmed in this breach, or those that were running unpatched PeopleSoft instances during the exploitation window, should notify employees promptly and consider proactive credit monitoring offers, even where breach scope remains under investigation.
Cloud-hosted instances were equally at risk
CVE-2026-35273 affected both on-premises and cloud-hosted Oracle PeopleSoft deployments. Organizations should not assume that cloud hosting provided automatic protection. Confirm patch status directly with Oracle account teams and obtain written confirmation that the June 10 emergency patch has been applied.