Oracle PeopleSoft Zero-Day CVE-2026-35273: How a 98 CVSS Flaw Exposed Nissan Employee Data and What You Must Do Now

Listen to this Post

Featured Image

Introduction

The line between a patched vulnerability and a catastrophic data breach is often measured in days—and for Nissan, that window closed with devastating consequences. Between May 27 and June 9, 2026, threat actors exploited CVE-2026-35273, a critical zero-day vulnerability in Oracle PeopleSoft PeopleTools, to breach Nissan Americas’ employee management systems. The flaw, a missing-authentication vulnerability in the Updates Environment Management (PSEMHUB) component, requires no credentials and no user interaction—just network access to a vulnerable instance. With a CVSS score of 9.8 out of 10, this vulnerability enabled attackers to chain Server-Side Request Forgery (SSRF) into Remote Code Execution (RCE), compromising over 300 PeopleSoft instances across more than 100 organizations worldwide. Nissan’s breach exposed sensitive employee data including Social Security numbers, banking information, tax records, and dependent details across the United States, Canada, Mexico, and Brazil. This article dissects the attack chain, provides actionable detection and mitigation strategies, and offers hardened commands for security teams defending Oracle PeopleSoft environments.

Learning Objectives

  • Understand the technical mechanics of CVE-2026-35273, including the SSRF-to-RCE exploitation chain and why it bypasses authentication.
  • Learn how to detect indicators of compromise (IOCs) associated with ShinyHunters (UNC6240) activity, including MeshCentral implants and C2 infrastructure.
  • Master step-by-step patching, mitigation, and hardening procedures for Oracle PeopleSoft PeopleTools 8.61 and 8.62 environments.
  • Acquire practical Linux, Windows, and network-level commands to audit, block, and remediate vulnerable endpoints.
  • Develop incident response playbook entries for zero-day scenarios involving enterprise HR/payroll systems.

1. Understanding CVE-2026-35273: The SSRF-to-RCE Chain

CVE-2026-35273 resides in the Updates Environment Management component (PSEMHUB) of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The vulnerability stems from missing authentication on critical endpoints, allowing an unauthenticated attacker with network access via HTTP to compromise the entire PeopleSoft instance. The exploitation flow follows a two-stage chain:

Step 1 – SSRF Exploitation: Attackers send crafted XML payloads to `/PSIGW/HttpListeningConnector` with the SSRF target set to internal or external resources. This allows them to probe internal network services and enumerate sensitive configuration details.

Step 2 – Remote Code Execution: By chaining the SSRF with deserialization weaknesses, attackers achieve unauthenticated RCE, enabling arbitrary command execution with the privileges of the underlying operating system—often root or SYSTEM.

How to verify if your instance is vulnerable:

 Linux - Check for presence of vulnerable endpoint
curl -k -I https://[peoplesoft-server]/PSEMHUB/hub
 If response returns HTTP 200 or 302, the endpoint is exposed

Windows (PowerShell)
Invoke-WebRequest -Uri "https://[peoplesoft-server]/PSEMHUB/hub" -Method Head
 Check StatusCode - if 200 or 302, proceed with immediate mitigation

Network-wide scan using nmap
nmap -p 443 --script http-headers --script-args http-headers.path=/PSEMHUB/hub [target-subnet]/24

What this does: These commands test whether the PSEMHUB endpoint is accessible. If accessible, your instance is vulnerable to CVE-2026-35273 and requires immediate action.

  1. The ShinyHunters Attack Campaign: TTPs and Indicators of Compromise

Mandiant and Google’s Threat Intelligence Group (GTIG) attributed the campaign to UNC6240, also known as ShinyHunters (Bling Libra), a financially motivated cybercrime collective. The group operated between May 27 and June 9, 2026, before Oracle released an emergency out-of-band patch on June 10. Their tactics, techniques, and procedures (TTPs) included:

  • Automated exploitation scripts targeting `/PSEMHUB/hub` and `/PSIGW/HttpListeningConnector` endpoints.
  • Deployment of MeshCentral remote management agents disguised as legitimate Microsoft Azure services (e.g., meshagent64-azure-ops.exe).
  • C2 communication routed to wss://azurenetfiles[.]net:443/agent.ashx, a domain masquerading as Azure NetApp Files.
  • Data exfiltration using zstd compression and lateral movement scripting.
  • Extortion markers in the form of ransom note files named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.

Key Indicators of Compromise (IOCs):

| Type | Indicator |

||–|

| IP | 142.11.200[.]186–190 (Staging/C2 infrastructure) |

| Domain | azurenetfiles[.]net (C2 masquerading as Azure) |

| SHA-256 | f02a924c9ff92a8780ce812511341182… (meshagent64-azure-ops.exe) |

| URL Path | `/PSEMHUB/hub` (Exploitation endpoint) |

| URL Path | `/PSIGW/HttpListeningConnector` (SSRF exploitation) |

| File | `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT` (Extortion marker) |

Detection commands:

 Linux - Search for MeshCentral agent disguised as Azure
sudo find / -1ame "meshagent64-azure-ops.exe" 2>/dev/null
sudo grep -r "azurenetfiles" /var/log/ 2>/dev/null

Windows (PowerShell) - Search for malicious files and C2 connections
Get-ChildItem -Path C:\ -Recurse -Filter "meshagent64-azure-ops.exe" -ErrorAction SilentlyContinue
Get-WinEvent -LogName Security | Where-Object { $_.Message -match "azurenetfiles" }

Check for extortion marker file
sudo find / -1ame "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" 2>/dev/null

What this does: These commands scan for known IOCs associated with the ShinyHunters campaign, helping incident responders quickly identify compromised hosts.

3. Emergency Patching and Mitigation Procedures

Oracle released an emergency out-of-band security patch on June 10, 2026, followed by the June 2026 Critical Security Patch Update (CPU). CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) catalog on June 12, 2026. Organizations must treat patching as an emergency priority.

Step-by-step patching guide:

  1. Download the patch from Oracle Support (Patch ID available in the June 2026 CPU advisory for PeopleSoft PeopleTools 8.61 and 8.62).
  2. Apply the patch in a test environment before production deployment.

3. Schedule maintenance window and communicate with stakeholders.

4. Apply the patch using Oracle’s OPatch utility:

 Linux - Apply Oracle patch
cd $ORACLE_HOME/OPatch
./opatch apply /path/to/patch/
./opatch lsinventory -details -patch | grep -i "CVE-2026-35273"

Windows
cd %ORACLE_HOME%\OPatch
opatch.bat apply C:\path\to\patch\
opatch.bat lsinventory -details -patch | findstr /i "CVE-2026-35273"

5. Verify patch application and restart PeopleSoft services.

6. Monitor for exploitation attempts post-patching.

If immediate patching is not possible, implement these emergency mitigations:

  • Disable the Environment Management Hub (EMHub) service or remove the PSEMHUB application entirely.
  • Block external access to `/PSEMHUB/` and `/PSIGW/HttpListeningConnector` at the network perimeter.

Web application firewall (WAF) rules:

 Apache .htaccess or httpd.conf - Block PSEMHUB and PSIGW endpoints
<LocationMatch "^/(PSEMHUB|PSIGW)/">
Require all denied
</LocationMatch>

IIS web.config
<location path="PSEMHUB">
<system.web>
<authorization>
<deny users=""/>
</authorization>
</system.web>
</location>

Network perimeter blocking (iptables example):

 Linux iptables - Block external access to PeopleSoft ports (assume 443)
iptables -A INPUT -p tcp --dport 443 -m string --string "/PSEMHUB/" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/PSIGW/" --algo bm -j DROP

What this does: These commands and configurations restrict access to vulnerable endpoints, preventing external attackers from exploiting CVE-2026-35273 while patching is underway.

4. Post-Exploitation Forensic Analysis and System Hardening

After a suspected compromise, security teams must conduct thorough forensic analysis to determine the scope of the breach. The following steps guide investigators through evidence collection and system hardening:

Step 1 – Collect forensic artifacts:

 Linux - Collect critical logs and system state
sudo tar -czf forensics_$(date +%Y%m%d).tar.gz /var/log/ /etc/ /tmp/ /home/ /opt/ 2>/dev/null
sudo journalctl --since "2026-05-27" --until "2026-06-10" > peoplesoft_journal.log

Windows - Collect event logs (PowerShell as Administrator)
wevtutil epl Security security_export.evtx
wevtutil epl System system_export.evtx
wevtutil epl Application app_export.evtx

Step 2 – Audit web-tier file systems for unauthorized files:

 Linux - Find unexpected .jsp files and directories
sudo find / -1ame ".jsp" -mtime -30 -type f 2>/dev/null
sudo find / -type d -1ame "PSEMHUB" -ls 2>/dev/null

Windows - Search for recently modified JSP files
Get-ChildItem -Path C:\ -Recurse -Filter ".jsp" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }

Step 3 – Monitor for outbound SMB connections to external IPs:

 Linux - Monitor outbound SMB traffic
sudo tcpdump -i any -1 port 445 or port 139 -c 1000

Windows - Check active SMB connections
net use
Get-SmbConnection | Where-Object { $_.RemoteHost -1otmatch "^192.168.|^10.|^172.16." }

Step 4 – Harden PeopleSoft configuration:

  • Restrict access to employee pay slips and direct deposit changes to corporate network computers or secured VPN connections.
  • Implement additional identity verification measures before processing payroll requests.
  • Audit web-tier file systems for unauthorized `.jsp` files and suspicious new directories.

What this does: These forensic and hardening steps help identify the scope of compromise, detect backdoors, and prevent further unauthorized access.

5. Long-Term Defensive Strategies for Enterprise HR Systems

The Nissan breach underscores the critical need for proactive security measures in enterprise HR and payroll systems. Organizations should implement the following long-term strategies:

Network Segmentation: Isolate PeopleSoft and other HR systems from the general corporate network. Restrict access to authorized administrators and applications only.

Continuous Vulnerability Scanning:

 Using nmap to scan for exposed PeopleSoft endpoints regularly
nmap -p 443 --script http-headers --script-args http-headers.path=/PSEMHUB/hub [peoplesoft-server]

Using OpenVAS or Nessus for comprehensive scanning
 Schedule weekly scans targeting Oracle PeopleSoft components

Log Monitoring and SIEM Integration: Forward PeopleSoft logs to a centralized SIEM with alerts for suspicious patterns:

 Linux - Configure rsyslog to forward to SIEM
echo ". @[SIEM-SERVER]:514" >> /etc/rsyslog.conf
systemctl restart rsyslog

Windows - Configure Event Forwarding via Windows Event Collector
wevtutil set-log Security /enabled:true /retention:false /maxsize:1073741824

Incident Response Playbook: Develop a specific playbook for Oracle zero-day scenarios, including:

  • Immediate isolation of affected systems.
  • Engagement with Oracle Support and external cybersecurity experts.
  • Notification to affected employees and regulatory bodies.
  • Offering free credit and dark web monitoring services.

Regular Patch Management: Oracle releases Critical Patch Updates (CPUs) quarterly, with additional Security Alerts for actively exploited vulnerabilities. Organizations must:

  • Subscribe to Oracle Security Alerts.
  • Test and apply patches within 48 hours of release for critical vulnerabilities.
  • Maintain an inventory of all Oracle products and versions in use.

What Undercode Say:

  • Zero-day vulnerabilities in enterprise HR systems represent an existential risk. The Nissan breach demonstrates that a single unpatched flaw in widely deployed software can expose millions of sensitive records across global operations. Organizations must treat PeopleSoft and similar HR platforms as crown jewels and apply defense-in-depth strategies accordingly.

  • Proactive threat hunting is non-1egotiable. The ShinyHunters campaign operated for over two weeks before Oracle issued a patch. Organizations with robust threat hunting capabilities—including log analysis, IOC monitoring, and anomaly detection—could have identified the compromise earlier. The use of MeshCentral agents disguised as Azure services highlights the sophistication of modern adversaries and the need for endpoint detection and response (EDR) solutions that look beyond simple signature-based detection.

  • The human element remains the weakest link. While this attack exploited a technical vulnerability, the downstream impacts—phishing, identity theft, and financial fraud—affect real people. Nissan’s decision to offer credit monitoring and restrict payroll system access is commendable, but organizations must also invest in employee education and identity protection services as part of their breach response.

  • Collaboration between vendors and security researchers is critical. Mandiant and Google’s Threat Intelligence Group identified and notified over 100 organizations before Oracle’s public disclosure. This public-private partnership saved countless organizations from potential breaches. However, Oracle’s delayed public confirmation raises questions about transparency and the speed of vendor response in zero-day scenarios.

Prediction

  • +1 The Nissan breach will accelerate adoption of zero-trust architecture in enterprise HR systems. Organizations will move away from perimeter-based security models and implement micro-segmentation, continuous authentication, and least-privilege access controls for sensitive HR and payroll applications.

  • -1 More organizations will fall victim to similar zero-day exploits before vendors can respond. The ShinyHunters campaign compromised over 300 PeopleSoft instances across 100 organizations, and many victims have yet to disclose their breaches. As threat actors increasingly target enterprise resource planning (ERP) systems, the window between vulnerability discovery and exploitation will continue to shrink.

  • +1 Regulatory scrutiny will intensify. The exposure of Social Security numbers, banking information, and tax records across multiple countries will trigger investigations from data protection authorities in the US, Canada, Mexico, and Brazil. This may lead to stricter breach notification requirements and heavier penalties for organizations that fail to secure sensitive employee data.

  • -1 The ShinyHunters group will continue to evolve its TTPs. Having successfully monetized data from this campaign through extortion and data leaks, ShinyHunters (UNC6240) will likely invest in developing or acquiring additional zero-day exploits targeting other enterprise software platforms. Organizations should prepare for copycat attacks using similar SSRF-to-RCE chains.

  • +1 The incident will drive innovation in automated patch management and vulnerability detection. The speed at which CVE-2026-35273 was added to CISA’s KEV catalog and the availability of public exploit code will push organizations to adopt AI-driven vulnerability prioritization and automated remediation tools that can respond to zero-day threats in hours, not days.

  • -1 Employee trust in corporate data protection will erode. With sensitive payroll, tax, and banking information now in the hands of cybercriminals, affected employees face years of heightened risk of identity theft and financial fraud. This breach will have long-lasting reputational and financial consequences for Nissan, potentially impacting employee retention and recruitment.

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Dlross Nissan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky