Sentinel Brief

Oracle PeopleSoft Zero-Day: Nissan Breach Exposes 100+ Orgs

data center server rack - Network servers are connected with cables.

Photo by Fabio Sasso on Unsplash

Key Takeaways
  • CVE-2026-35273, rated CVSS 9.8, is an unauthenticated remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 — exploited as a zero-day for 14 days before Oracle's emergency patch on June 10, 2026.
  • ShinyHunters compromised over 300 PeopleSoft instances across more than 100 organizations globally, with the education sector disproportionately targeted.
  • Nissan confirmed employee data exposed during the May 27–June 9, 2026 window includes Social Security numbers, banking details, payroll records, tax filings, and dependent/beneficiary information.
  • Any organization running unpatched PeopleTools 8.61 or 8.62 today carries the same live attack surface Nissan faced during those 14 days.

The Threat: A 14-Day Head Start With No Patch in Sight

14 days. That is how long ShinyHunters had to move through enterprise HR and payroll systems before Oracle could respond. According to reporting by BleepingComputer and corroborated via Google News, the extortion group began actively exploiting CVE-2026-35273 — a critical unauthenticated remote code execution flaw (a vulnerability that lets attackers execute malicious code on a remote server without any login credentials) in Oracle PeopleSoft — no later than May 27, 2026. Oracle's emergency out-of-band mitigation arrived June 10. In that window, as of June 30, 2026 according to ShinyHunters' own claims and Mandiant's independent analysis, over 300 PeopleSoft instances across more than 100 organizations were compromised globally.

Nissan North America is now a confirmed member of that list. The automaker disclosed that current and former employees in the US, Canada, Mexico, and Brazil had their most sensitive personal data exposed during the May 27 through June 9 exploitation period. The data categories are not peripheral: Social Security numbers, banking information, payroll records, tax data, and dependent and beneficiary records — a near-complete dossier for identity fraud.

The attack's technical anatomy is precise. As SecurityWeek reported, Rapid7 researchers classified CVE-2026-35273 as an SSRF-to-RCE vulnerability chain (a server-side request forgery flaw that escalates into full remote code execution), targeting two specific endpoints: /PSEMHUB/hub and /PSIGW/HttpListeningConnector. No authentication required. Oracle's own security alert, as of June 10, 2026, described the vulnerability as "remotely exploitable without authentication" and warned that successful exploitation "may result in remote code execution." The CVSS severity score — 9.8 out of 10 — reflects both the zero-authentication requirement and the complete system-level access the flaw enables.

Blast Radius: Who Is Actually Inside the Kill Zone

Oracle PeopleSoft is the enterprise backbone for HR, payroll, financial management, and student information systems at thousands of organizations worldwide. Every entity running PeopleTools 8.61 or 8.62 without the June 2026 Critical Patch Update is operating an exposed attack surface right now. The education sector bore a disproportionate share of the damage — universities comprised a majority of the 100-plus victim organizations, a pattern that prompted the FBI's Internet Crime Complaint Center to issue PSA 260515 in May 2026, warning specifically about ShinyHunters attacks targeting learning management systems in higher education.

The blast radius, however, extends well beyond campuses. Any enterprise using PeopleSoft for payroll or HR faces the same fundamental exposure. And the data category alone should recalibrate how organizations assess this risk: Social Security numbers combined with banking and tax records represent a complete identity dossier — one that enables immediate financial fraud and long-horizon identity theft simultaneously.

ShinyHunters PeopleSoft Campaign — Scope as of June 10, 2026PeopleSoft Instances Compromised300+Organizations Affected Globally100+Days of Active Zero-Day Exploitation Before Patch14 daysSource: BleepingComputer / ShinyHunters claim / Mandiant analysis

Chart: Three dimensions of the Oracle PeopleSoft zero-day campaign — compromised system count, organizational footprint, and zero-day exploitation window — as reported by BleepingComputer and Mandiant, current as of June 10, 2026.

Mandiant's threat intelligence adds critical context to the actor profile. Google's Threat Intelligence Group described ShinyHunters, as of June 30, 2026, as "multiple threat clusters" operating under a single brand — and noted the group has evolved far beyond the opportunistic data theft operations they ran when they first surfaced in 2020. Their current toolkit includes, per Mandiant: "cloud misconfigurations, OAuth token theft via integration companies, supply chain attacks, zero-day exploits, voice phishing and other forms of advanced social engineering." Parallel campaigns have been confirmed against Salesforce, Google Workday, Coinbase, and luxury brands including Louis Vuitton, Gucci, and Adidas using similar methods. This is a mature, multi-vector extortion operation — not a smash-and-grab crew.

corporate payroll software computer screen - black flat screen computer monitor

Photo by WebFaster on Unsplash

The Defense Stack That Closes This Gap

Three control layers need to work in sequence. The first is non-negotiable and has no workaround.

Technology control — patch immediately. Oracle released fixes for CVE-2026-35273 in its June 2026 Critical Patch Update and issued the emergency out-of-band mitigation on June 10. Any organization running PeopleTools 8.61 or 8.62 without this patch is carrying an unmitigated CVSS 9.8 attack surface. Nissan's post-incident remediation now requires VPN or on-site network access for payroll system changes — a reasonable compensating control (a secondary safeguard applied when the primary fix can't be deployed immediately), but one that should be treated as a bridge, not a destination. The patch closes the vulnerability; the VPN requirement only narrows access to the vulnerable endpoint.

Process control — segment and monitor ERP access. PeopleSoft instances exposed directly to the internet without a web application firewall or strict network segmentation present a fundamentally different risk profile than those behind a hardened gateway. The two vulnerable endpoints Rapid7 identified — /PSEMHUB/hub and /PSIGW/HttpListeningConnector — should be blocked at the network perimeter for any organization where external access to those paths isn't operationally required. Legitimate PeopleSoft operations rarely need those paths publicly reachable.

People control — threat hunt now, don't wait. The 14-day exploitation window means organizations that were compromised between May 27 and June 9 may not yet have confirmed it. Active threat hunting against PeopleSoft access logs for IOCs (indicators of compromise — the forensic fingerprints an attacker's tools leave in system logs) from this campaign is warranted regardless of whether a breach notification has been received. This is precisely the scenario where a tested incident response plan earns its overhead cost — knowing who to call, what evidence to preserve, and how to notify affected individuals within applicable legal timeframes is the difference between controlled disclosure and chaos.

As AI Agents Daily noted in its coverage of the 581-vulnerability surge, the interval between patch release and patch deployment remains the single most weaponizable gap in enterprise security programs. ShinyHunters turned that gap into a 14-day exploitation window affecting over 100 organizations. The math is straightforward: patch velocity is a security control, not an IT housekeeping task.

AI-powered threat intelligence did play a role here — though a reactive one. Mandiant's pattern recognition across the ShinyHunters campaign enabled notification to the affected organizations after breach. But the more valuable intervention point was before exploitation reached exfiltration. Behavioral anomaly detection on authentication attempts to known PeopleSoft endpoints, tuned to flag SSRF chains, could have shortened that 14-day window considerably. That capability exists in commercially available data protection platforms today; the gap is deployment prioritization, not technology availability.

Ship This Control Today

One action. Not a checklist.

Run an inventory of every Oracle PeopleSoft instance your organization operates, manages, or has inherited through acquisition. For each instance running PeopleTools 8.61 or 8.62, confirm whether the June 2026 Critical Patch Update has been applied. If it has not, treat this as a P1 remediation — not next sprint, not the next scheduled change window. If the patch cannot be applied immediately, implement network-level blocks on the two vulnerable endpoints and restrict all PeopleSoft access to VPN-authenticated users, mirroring Nissan's compensating control. Then schedule the patch for the earliest feasible window and treat that date as a hard deadline.

If your organization doesn't operate PeopleSoft directly but relies on a third-party HR or payroll processor that does, send a written inquiry today requesting written confirmation that CVE-2026-35273 has been patched in their environment. Supply chain exposure is documented in this campaign — ShinyHunters has a consistent pattern of exploiting integration partners and managed service providers to reach upstream targets. Third-party confirmation is not optional; it is part of a sound cybersecurity best practices framework for vendor risk management.

Frequently Asked Questions

What is Oracle PeopleSoft used for and why was it a target?

Oracle PeopleSoft is an enterprise software platform used primarily for human capital management, payroll processing, financial management, and student information systems. Large employers and universities use it to store employee records, compensation data, tax documentation, and benefit information — making it a high-value target for extortion groups like ShinyHunters, who can monetize the sensitive data directly or use it as leverage in ransom negotiations. As of June 30, 2026, PeopleSoft Enterprise PeopleTools is deployed at thousands of organizations globally, including corporations, government agencies, and higher education institutions.

How do zero-day attacks work and why is a 14-day window so dangerous?

A zero-day vulnerability is a security flaw that has no available patch at the time attackers exploit it — they know about the flaw before the vendor can respond. CVE-2026-35273 was actively exploited beginning May 27, 2026, with Oracle's emergency mitigation not arriving until June 10 — a 14-day window in which defenders had no patch to deploy. During that period, any PeopleSoft instance reachable on the vulnerable endpoints was exploitable with no authentication required. The CVSS 9.8 severity score reflects both the zero-authentication barrier and the complete remote code execution capability the flaw provides to an attacker.

Who is ShinyHunters and how have they evolved as a threat group?

ShinyHunters first emerged around 2020 as a relatively straightforward data theft and resale operation targeting cloud storage and SaaS platforms. As of June 30, 2026, Mandiant and Google's Threat Intelligence Group describe them as "multiple threat clusters" operating under a shared brand, running a "pay or leak" extortion model against high-value targets. Their methods now span cloud misconfigurations, OAuth token theft, supply chain attacks, zero-day exploitation, and voice phishing. Confirmed victims across their recent campaigns include Coinbase, Salesforce, Google Workday, Nissan, and luxury brands including Louis Vuitton, Gucci, and Adidas.

What should I do if my SSN was exposed in the Nissan data breach?

If you are a current or former Nissan employee who received a breach notification, take these steps as of June 30, 2026: (1) Place a credit freeze with all three major bureaus — Equifax, Experian, and TransUnion — to prevent new accounts from being opened in your name; (2) Enroll in the IRS Identity Protection PIN program to block fraudulent tax return filings using your SSN; (3) Monitor bank accounts and payroll records for unauthorized changes; (4) Watch for Nissan's formal remediation offers, which typically include credit monitoring services following disclosures of this scope. Unlike a compromised password, an exposed Social Security number cannot be changed, making long-term monitoring a permanent precaution rather than a temporary one. Multiple class action lawsuits have been filed against Nissan North America following this disclosure — affected individuals may want to consult legal counsel regarding their options.

Disclaimer: This article is original editorial commentary for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your organization's specific security needs. Research based on publicly available sources current as of June 30, 2026.