Listen to this Post
Introduction:
A critical remote code execution vulnerability, CVE-2026-35273 (CVSS 9.8), is being actively exploited in the wild by the financially motivated threat actor Bling Libra, also known as ShinyHunters and tracked as UNC6240. This unauthenticated flaw in the Environment Management Hub (PSEMHUB) of Oracle PeopleSoft Enterprise PeopleTools, which has been exploited as a zero-day since late May 2026, has led to over 100 organizations being compromised, with over two-thirds of the victims being higher education institutions.
Learning Objectives:
- Understand the technical mechanics of CVE-2026-35273, a server-side request forgery (SSRF) leading to unauthenticated RCE.
- Identify indicators of compromise (IOCs) and attacker infrastructure used by ShinyHunters.
- Implement network-level detections and system hardening steps to mitigate this critical vulnerability.
You Should Know:
- Vulnerability Deep Dive: CVE-2026-35273 – The PSEMHUB SSRF
This section explains what CVE-2026-35273 is and how it is exploited.
Step‑by‑Step Exploitation Analysis:
- Targeting the Component: The vulnerability resides in the Updates Environment Management component, specifically within the PeopleSoft Environment Management Hub (PSEMHUB).
- Sending the Malicious Request: An unauthenticated attacker with network access to the PSEMHUB endpoint crafts a specific HTTP request. The flaw is classified as a server-side request forgery (CWE-918), which allows the attacker to induce the server to make arbitrary outbound requests.
- Chaining the Exploit: In the observed attacks, ShinyHunters chained this SSRF with other known vulnerabilities in a “gadget chain” to achieve RCE.
- Gaining Access: Once exploited, the attacker can bypass authentication entirely and execute arbitrary commands with SYSTEM or root privileges, leading to full server compromise.
- Deploying Backdoors: Post-exploitation, the attackers deploy legitimate remote management tools, such as MeshCentral agents, disguised as Microsoft Azure services for persistent command and control (C2).
2. Detection: How to Identify Compromised PeopleSoft Servers
This section provides actionable commands and steps to detect potential exploitation of CVE-2026-35273.
Step‑by‑Step Detection Guide:
- Monitor Web Server Logs for Suspicious URIs: The `/PSIGW/HttpListeningConnector` URI path has been directly associated with this campaign and related exploit chains. Use the following `grep` command on Linux to search your access logs:
sudo grep -E "/PSIGW/HttpListeningConnector" /path/to/peoplesoft/access.log
-
Check for MeshCentral C2 Communication: ShinyHunters uses MeshCentral agents hardcoded to communicate with C2 servers. On Windows, use `findstr` to scan for known malicious binaries and connections:
findstr /s /i /m "meshagent64-azure-ops.exe" C:\path\to\scan\
Additionally, check established network connections for the known C2 domain `wss://azurenetfiles.net:443/agent.ashx` using PowerShell:
Get-1etTCPConnection -State Established | Where-Object {$_.RemoteAddress -like "azurenetfiles.net"} -
Audit for Credential Spraying Activity: The attackers deployed a custom SSH credential spraying script. On Linux, check `/var/log/auth.log` or `/var/log/secure` for multiple failed SSH login attempts from a single IP across many users:
sudo grep "Failed password" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -1r
3. Network-Based Mitigation and Firewall Hardening
This section details how to block the attack at the network perimeter.
Step‑by‑Step Network Hardening Guide:
- Restrict Access to PSEMHUB: The most immediate mitigation is to block external access to the PeopleSoft Environment Management Hub unless absolutely necessary.
- Implement WAF Rules: Deploy web application firewall (WAF) rules to block malicious patterns associated with this SSRF. If using ModSecurity, you can create a custom rule to block the specific URI path:
SecRule REQUEST_URI "/PSIGW/HttpListeningConnector" "id:10001,deny,status:403,msg:'Blocked PeopleSoft PSIGW URI'"
- Block Known Malicious IPs and Domains: Immediately block all communication to and from the identified staging infrastructure IP addresses and the C2 domain.
Linux iptables example to block a malicious IP sudo iptables -A INPUT -s 45.142.212.0/24 -j DROP sudo iptables -A OUTPUT -d 45.142.212.0/24 -j DROP
On Windows, use `New-1etFirewallRule` in an elevated PowerShell:
New-1etFirewallRule -DisplayName "Block ShinyHunters C2" -Direction Outbound -RemoteAddress 45.142.212.0/24 -Action Block
4. System Hardening: Oracle PeopleTools and WebLogic Security
This section focuses on securing the underlying PeopleSoft infrastructure.
Step‑by‑Step System Hardening Guide:
- Apply Oracle’s Emergency Patch: Oracle has released an out-of-band security alert. Apply the patch for CVE-2026-35273 to all affected PeopleTools versions (8.61, 8.62, and earlier unsupported versions) immediately.
- Secure WebLogic Server: The PeopleSoft application relies on WebLogic. Ensure that the WebLogic administration port is not exposed to the internet and that strong passwords are configured for all default accounts, including `weblogic` and
system. - Enforce Principle of Least Privilege: Review and restrict all PeopleSoft user, role, and permission list configurations. The `SYSADM` database account should never be used for routine application access.
- Harden the Database Tier: The PeopleSoft database should not be directly accessible from untrusted networks. Implement strict firewall rules to only allow database traffic from the application server tier.
5. Post-Exploitation Remediation: Eradicating MeshCentral Backdoors
This section outlines steps to remove backdoors and restore system integrity.
Step‑by‑Step Remediation Guide:
- Identify and Terminate Malicious Processes: Scan all servers for running processes named `meshagent64-azure-ops.exe` or similar, and terminate them.
Linux command to find and kill malicious MeshCentral processes ps aux | grep meshagent && sudo pkill -f meshagent64-azure-ops.exe
- Remove Persistence Mechanisms: Check common startup locations and scheduled tasks for persistence.
– Linux: Review /etc/crontab, /etc/systemd/system/, and user crontabs.
– Windows: Use `schtasks` to list and delete suspicious scheduled tasks.
schtasks /query /fo LIST /v | findstr "meshagent" schtasks /delete /tn "MaliciousTaskName" /f
3. Rotate All Credentials: The attackers used a credential spray script, indicating they may have captured hashed or plaintext credentials. Immediately rotate passwords for all user accounts, service accounts, the `SYSADM` database account, and all WebLogic administrative credentials.
4. Conduct a Full Forensic Investigation: Assume the environment is fully compromised. A complete rebuild of the affected PeopleSoft servers from a known-clean backup is the safest course of action to guarantee no hidden backdoors remain.
What Undercode Say:
- The Shifting Ransomware Landscape: The use of legitimate remote management tools like MeshCentral by groups like ShinyHunters highlights a major trend. This “living-off-the-land” (LotL) approach bypasses traditional antivirus and endpoint detection and response (EDR) solutions, blending malicious traffic with legitimate administrative activity and making it incredibly difficult for SOC teams to differentiate between a hacker and a sysadmin. Organizations must move towards strict application allowlisting and robust behavioral analytics.
- The Persistent Danger of Legacy ERP Systems: Higher education institutions were the primary victims because they often rely on complex, long-deployed ERP systems like PeopleSoft, which are difficult and expensive to patch and modernize. This attack serves as a critical reminder that these systems, which house the most sensitive HR and student data, are a high-value, soft target for sophisticated attackers. A shift from periodic patching to continuous threat exposure management (CTEM) is no longer optional but essential for these sectors.
Prediction:
- -1 The exploitation of CVE-2026-35273 will lead to a surge in follow-on ransomware and extortion attacks against the education sector as other threat actors reverse-engineer the public proof-of-concept and replicate ShinyHunters’ tactics.
- -1 Insurance premiums for higher education institutions, and any organization running legacy ERP systems, will see a sharp increase. Insurers will mandate stringent, real-time patching SLAs and proof of network segmentation for PeopleSoft environments as a baseline for coverage.
- +1 In response to this and similar zero-day events, we will see accelerated adoption of “patchless protection” technologies and virtual patching solutions (e.g., via WAF and micro-segmentation) as a compensating control for critical but unpatchable legacy systems.
- -1 The use of MeshCentral as a C2 vector will prompt Microsoft and other cloud providers to tighten their policies and implement detections for unauthorized remote management tools within their cloud environments, potentially impacting legitimate administrative use cases.
- -P Publicly disclosed indicators of compromise and attack patterns will empower open-source detection tools (e.g., Sigma rules, YARA rules) to quickly incorporate detections for this campaign, allowing more agile defenders to catch up without waiting for vendor signatures.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Shinyhunters Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
