On June 12, SecurityWeek reported that Google Mandiant and GTIG formally confirmed: CVE-2026-35273, which Oracle addressed this week with an out-of-band security alert, had already been exploited as a zero-day by ShinyHunters (tracked by Google as UNC6240). It is a CVSS 9.8 unauthenticated remote code execution flaw — no account, no user interaction; one network request that reaches the HTTP interface takes over the server. The shock: as of today Oracle has published mitigations only. There is no patch.
Technically, the flaw sits in PeopleSoft Enterprise PeopleTools 8.61 and 8.62 (plus PeopleSoft Enterprise Applications). The attack is a gadget chain stitching known old bugs together with this undisclosed zero-day, walking from an internet-exposed PeopleSoft portal straight to RCE. With a foothold, attackers deploy customized MeshCentral remote-management agents masquerading as legitimate cloud endpoints, then run a script named [victim_abbreviation]_fanout.sh for lateral movement and defacement. No public PoC yet — but exploitation is already happening.
Quantified scope: Mandiant observed exploitation between May 27 and June 9; Google notified more than 100 potentially exposed organizations, 68% in higher education; ShinyHunters claims roughly 300 instances across 100 organizations. The University of Nottingham is the first confirmed victim, with stolen data published on the data leak site of the group on June 9. The timeline is brutal: from first attacks (May 27) to the Oracle alert (June 10), defenders were blind for two full weeks.
Why act within 24 hours: there is no patch to wait for. The only moves are applying mitigations immediately and shrinking your exposure. Concrete actions below.
Technical details: vulnerability class + attack path
Class: unauthenticated RCE via the PeopleSoft HTTP service interface — no privileges, no interaction, network vector. Four-step path: crafted HTTP request to an exposed PeopleSoft portal → code execution via the gadget chain → MeshCentral agent implant for persistence → fanout.sh for batch lateral movement, data theft and defacement. Affected versions: PeopleTools 8.61 and 8.62. Education is the disaster zone because campus systems habitually put enrollment and payment portals straight on the public internet.
Immediate actions for three audiences
- Sysadmins: apply the mitigations in the Oracle Security Alert now; inventory every internet-exposed PeopleSoft portal and pull them behind VPN or IP allow-lists today; hunt logs from May 27 onward for MeshCentral connections and unknown shell scripts.
- Developers: even without PeopleSoft, the principle holds — admin and ERP portals should not face the open internet. Minimal Nginx defense:
# Admin/ERP portals: office and VPN ranges only
location /admin/ {
allow 203.0.113.0/24; # office
allow 10.8.0.0/16; # vpn
deny all;
}- Agencies / consultants: send clients a notice titled: is any admin backend of yours directly exposed to the internet? Attach a free attack-surface checklist. The lesson applies to every custom-system client.
Patch vs. mitigation
| Item | Status | Action |
|---|---|---|
| Official patch | Not yet available | Watch the Oracle alert page; apply within 24 hours of release |
| Official mitigations | Released (Security Alert) | Apply now — currently the only first line of defense |
| Network-level mitigation | Self-serve | Portals behind VPN/allow-lists; WAF rules for anomalous POSTs |
| Detection lookback | Self-serve | Review logs since May 27: MeshCentral, *_fanout.sh |
IOCs and threat intel
- Customized MeshCentral agents masquerading as legitimate cloud endpoints (a legitimate tool, weaponized)
- Lateral-movement/defacement scripts matching [victim_abbreviation]_fanout.sh
- Anomalous requests against PeopleSoft HTTP portals between May 27 and June 9
- Full IOC list: Google Cloud Threat Intelligence blog
What nobody tells you
- Oracle still has not publicly confirmed exploitation — Google said it for them. Vendor advisories always lag threat intel; teams relying only on vendor notices spent these two weeks exposed.
- A mitigation is not a fix: nobody guarantees the rest of the gadget chain holds no further undisclosed bugs, and TrendAI (credited with reporting the flaw) says its investigation is ongoing. Treating mitigations as patches is how the next incident starts.
The bigger trend
The window from attacker-starts to vendor-speaks is inverting: adversaries exploited for two weeks before defenders got their first official document. The patch-window operating model no longer works for internet-facing enterprise systems — attack-surface management (not being exposed) now formally outranks patching speed.
FAQ
We do not run PeopleSoft — does this concern us?
Yes. The core lesson — exposed backend portals plus a vendor zero-day — applies to any ERP, CMS or custom admin panel. Audit today: which of your admin URLs open from a coffee-shop Wi-Fi?
Are we safe once mitigations are applied?
Only reduced risk on the known path. Until a patch ships, you also need exposure reduction and a compromise lookback from May 27 — all three, not one.
How do we check whether we were hit?
Review web-server logs for anomalous POSTs to PeopleSoft portals, hosts for unknown MeshCentral processes and *_fanout.sh files, and egress for unexplained remote-management traffic. Any hit triggers incident response.
Why are universities the disaster zone?
Campus systems must be open to students (enrollment, payments), so the exposed surface is large and patch windows are hostage to the academic calendar. ShinyHunters picks targets that cannot simply switch things off.
My take
The mainstream conclusion will be patch faster, inventory faster. My contrarian read: this incident declares patch-centrism bankrupt. When attacks precede the advisory by two weeks and the advisory precedes the patch by who knows how long, the primary security metric should no longer be patch velocity but non-exposable surface area — every day an unnecessary portal faces the internet is a day your fate is delegated to the SDLC of a vendor. The ScriptWalker client-care opportunity: turn attack-surface review into a quarterly service — scan every external entry point of each client, deliver an exposure list and a reduction plan. This PeopleSoft campaign is the perfect opening case study.
Sources
- Oracle Security Alert — CVE-2026-35273
- Google Cloud Threat Intelligence — ShinyHunters Targets Education Sector
- NVD — CVE-2026-35273
- SecurityWeek — Google Confirms Exploitation of Oracle PeopleSoft Zero-Day (2026-06-12)
- The Register — ShinyHunters hacked 100+ orgs via PeopleSoft 0-day
- Help Net Security — Oracle PeopleSoft servers under attack