Sentinel Brief

Nissan Data Breach and the Oracle PeopleSoft Zero-Day

employee payroll records computer screen - a laptop computer sitting on top of a wooden desk

Photo by Walls.io on Unsplash

It's June 9, 2026. Oracle's security team is finalizing their monthly advisory, unaware that for the previous two weeks an automated exploitation script has been harvesting Windows authentication credentials from PeopleSoft installations across North America. By the time Nissan Americas' HR administrators begin their morning routines, the Social Security numbers, banking details, tax records, and payroll data of employees across the United States, Canada, Mexico, and Brazil already belong to a financially motivated threat group called ShinyHunters.

Rescana's supply chain risk analysis, published June 30, 2026, offers the most thorough multi-country regulatory impact assessment of this incident. BleepingComputer secured the direct attribution claim — ShinyHunters told the outlet they personally compromised "over 300 PeopleSoft instances across 100 organizations," a figure not confirmed elsewhere at the time of publication. Mandiant provided the technical exploitation chain and threat actor attribution. Taken together, these sources reveal a picture considerably more alarming than any single outlet conveyed alone.

The Threat: A Two-Week Head Start and Payroll Records Exposed

CVE-2026-35273 carries a CVSS score of 9.8 — Critical — and affects Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. The flaw sits inside the Updates Environment Management component and permits an unauthenticated attacker, meaning someone with zero prior credentials or access, to chain a Server-Side Request Forgery (SSRF) attack into full Remote Code Execution (RCE). In concrete terms: a threat actor sends crafted requests to two specific endpoints — /PSEMHUB/hub and /PSIGW/HttpListeningConnector — causing the PeopleSoft server to initiate outbound SMB connections on TCP port 445. Those connections deliver Windows NetNTLM credential hashes (cryptographic tokens representing user passwords) that can be cracked offline or relayed directly for domain-level impersonation.

Exploitation began May 27, 2026. Oracle's security advisory didn't publish until June 10, 2026. That fourteen-day gap is what defines a zero-day: organizations had no vendor patch, no official indicators of compromise, and no sanctioned guidance while ShinyHunters — attributed by Mandiant to the cluster designation UNC6240 — ran automated attack scripts and deployed MeshCentral remote management tools disguised as Microsoft Azure services, using command-and-control infrastructure registered at azurenetfiles[.]net.

Nissan Americas disclosed the resulting breach on June 25, 2026. Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative, the firm that originally reported the vulnerability, stated: "Currently, we're seeing limited exploitation, but our investigation" remains ongoing — a signal that the full scope of the campaign may not yet be known.

Blast Radius: Who's Actually Inside the Kill Zone

As of June 30, 2026, Mandiant's analysis found that 68% of the 100-plus affected organizations were in the higher education sector, with most victims concentrated in the United States. The University of Nottingham confirmed the single largest breach in the campaign: 454,600 current and former student records exposed, including passport numbers, ethnicity data, disability information, and academic enrollment details across campuses in the UK, Malaysia, and China, with more than 40 GB of data stolen total.

Eastman Kodak acknowledged unauthorized third-party access on June 15, 2026, with ShinyHunters threatening to release more than 2.2 million corporate records unless ransom demands were met. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog on June 12, 2026, with a June 15, 2026 enforcement deadline under Binding Operational Directive 26-04 — the federal government's public acknowledgment that this is active, serious exploitation, not theoretical risk.

CVE-2026-35273: Victim Sector Distribution (100+ Orgs) 68% Higher Education 32% Corporate / Other CVSS Score 9.8 Critical Severity

Chart: Sector breakdown of confirmed victims across 100+ compromised organizations, per Mandiant analysis as of June 30, 2026. CVSS 9.8 places CVE-2026-35273 at the top of the critical severity band.

Why This Escalation Should Change Your ERP Security Posture

Mandiant's attribution note is the part worth sitting with longest. UNC6240 — the cluster tied to ShinyHunters — built its reputation on vishing (voice phishing, where attackers call employees and impersonate IT staff) and stolen SaaS authentication tokens. Relatively low technical lift, high social-engineering dependency. What Mandiant characterized as a pivot to a "server-side zero-day in on-premises ERP software" marks a meaningful capability upgrade. This group is no longer relying on talking a help desk employee into resetting a password. They are weaponizing unauthenticated code execution against infrastructure that organizations have historically treated as hardened, perimeter-protected, and implicitly trusted.

That assumption — that an ERP system sitting inside the corporate network is safe because it's inside the network — is precisely what this campaign exploited. And the supply chain dimension amplifies the blast radius further. Shared HR platforms, managed service providers hosting PeopleSoft for multiple clients, and universities serving tens of thousands of students across international campuses represent concentrated targets where one successful exploitation event cascades across multiple populations simultaneously. The 454,600-record breach at the University of Nottingham is the clearest illustration of that dynamic.

This escalation echoes a pattern that AI Shield Daily examined in the 581-vulnerability surge overwhelming open source security tooling — defenders are managing an expanding attack surface at the same moment threat actors are investing in technically sophisticated, automated exploitation at scale. The two trends compound each other.

The Defense Stack That Closes This Gap

Three control layers apply here. They are not interchangeable — skip one and the remaining two leave meaningful exposure.

Patch immediately. Oracle published the fix for CVE-2026-35273 on June 10, 2026. If any PeopleSoft PeopleTools 8.61 or 8.62 instance in your environment has not received that patch, that is the first action. Full stop. CISA's BOD 26-04 deadline of June 15, 2026 has already passed for federal agencies; private sector organizations should treat that date as a retrospective benchmark, not a future target.

Block outbound SMB at the firewall. The attack chain depends entirely on the PeopleSoft server initiating outbound connections on TCP port 445 to attacker-controlled hosts. Organizations that enforce egress filtering — blocking SMB connections originating from ERP servers to external or non-approved internal destinations — would have severed the NetNTLM hash-capture stage of this attack before it completed. Audit your outbound firewall rules for every HR and ERP system. These servers have no legitimate reason to initiate SMB connections to the public internet.

Deploy behavioral anomaly detection tuned for SSRF patterns. AI-powered threat intelligence platforms were critical to early identification of this campaign. Mandiant's machine learning analysis flagged the azurenetfiles[.]net command-and-control infrastructure and identified the lateral movement behaviors associated with UNC6240's fanout.sh credential-spraying scripts before widespread exploitation awareness existed in the security community. Organizations running AI-based detection of SSRF behavior (Server-Side Request Forgery — when an attacker tricks a server into making unauthorized outbound requests on their behalf) on ERP platforms had measurably earlier warning windows. If your security stack does not include behavioral analysis of server-initiated outbound connections from ERP systems, that is the detection gap that made this campaign possible at scale.

Harden This Today

One control. Not a checklist.

Pull the outbound firewall rules for every PeopleSoft, SAP, Workday, or on-premises ERP instance on your network. Block all outbound connections on TCP port 445 originating from those servers to non-approved hosts. Log every blocked attempt. Alert on any match. This single egress control would have disrupted the NetNTLM hash-capture stage of CVE-2026-35273's attack chain — and it functions as a compensating control that operates independently of whether your patch has been applied. Compensating controls layer on top of patching; they don't substitute for it.

Ship this control today.

Frequently Asked Questions

What is CVE-2026-35273 and how does it work in plain terms?

CVE-2026-35273 is a critical-severity flaw (CVSS 9.8) in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 that allows an unauthenticated attacker — someone with no credentials whatsoever — to trick the PeopleSoft server into making outbound network connections that leak Windows authentication credentials. Those credentials can then be cracked or reused to impersonate legitimate users and move deeper into the organization. Exploitation was active from May 27, 2026 onward, two weeks before Oracle's June 10, 2026 patch advisory.

Should I be worried about the Nissan data breach if I'm a current or former employee?

If you worked for Nissan Americas in the United States, Canada, Mexico, or Brazil, take the disclosure seriously. Nissan confirmed on June 25, 2026 that the breach exposed SSNs, banking details, tax records, and payroll data. Monitor your bank accounts and credit reports immediately. Consider placing a credit freeze with the three major bureaus — Equifax, Experian, and TransUnion. Be alert to phishing attempts that use your real personal data to appear credible; that is a common follow-on tactic after payroll data theft, because the attacker already knows your name, employer, and salary.

How do organizations protect against Oracle PeopleSoft vulnerability CVE-2026-35273 right now?

Three steps, in priority order: First, apply Oracle's June 10, 2026 security patch for PeopleTools 8.61 and 8.62 immediately. Second, block all outbound SMB traffic (TCP port 445) originating from PeopleSoft and other ERP servers at the firewall — this disrupts the credential-capture stage of the attack. Third, hunt for indicators of compromise in your environment: search firewall and DNS logs for outbound connections to azurenetfiles[.]net, and review authentication logs for anomalous activity following any PeopleSoft access. If you find evidence of compromise, preserve logs before remediation steps that could destroy forensic evidence, and engage your incident response team.

In my analysis, the most significant signal in this incident isn't the breach count — it's the capability shift. When a group historically dependent on social engineering successfully deploys unauthenticated server-side exploitation at automated scale across 100-plus organizations before a patch exists, it marks a threshold crossing. The financial returns on this level of technical investment clearly penciled out for UNC6240. That means imitators will follow. ERP platforms are the next contested terrain in enterprise security, and most organizations' detection stacks were not tuned for it on May 27, 2026. The question is whether they will be on the day the next campaign starts.

Bottom line: Patch CVE-2026-35273, enforce outbound SMB egress filtering on your ERP servers, and stop treating your HR platform's network behavior as implicitly trusted. It isn't.

Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific environment and needs. Research based on publicly available sources current as of June 30, 2026.