If you still think your staging servers are safe behind the firewall, you are dreaming. Staging targets are the new front door. ShinyHunters just proved it again, ripping through Oracle PeopleSoft instances using a critical zero-day that exposes the soft underbelly of institutional networks.
This isn't a theoretical threat. It’s an active extortion campaign. Tracked as CVE-2026-35273, the zero-day hits Oracle PeopleSoft PeopleTools, letting unauthenticated attackers execute arbitrary code. It has a CVSS score of 9.8. That is as bad as it gets. When you have a bug that requires zero credentials and grants full system access, you aren't looking at a vulnerability; you're looking at an keys-to-the-kingdom event.
The gang behind this is ShinyHunters. They are notorious for data theft, but this campaign is particularly nasty. They didn't just stumble onto these systems. They systematically scanned for exposed PeopleSoft environments, focused on educational institutions, and exfiltrated databases with surgical precision. If you are sitting on an unpatched PeopleSoft server, expecting your perimeter security to defend you, you are playing Russian roulette. We need to stop pretending staging servers don't need the same rigorous protection as production databases. Let's look at what went wrong and how to fix it before your data ends up on their leak site.
Let's look under the hood of CVE-2026-35273. The flaw lies targeting Oracle PeopleSoft PeopleTools, specifically affecting versions 8.61 and 8.62. At its core, this is an unauthenticated remote code execution vulnerability. No login, no session token, no authorization headers. If a server is reachable via HTTP, it is vulnerable.
The exploit depends on deserialization flaws. What the attackers call a "gadget chain" is essentially a string of operations that abuse existing, legitimate classes in the PeopleTools library. When untrusted input is passed to these classes without validation, it triggers execution of arbitrary code in the context of the underlying application process. While details of the specific zero-day components remain closely guarded, threat actors confirmed they blended this new exploit with older, known vulnerabilities to achieve reliable execution. This tactic of leveraging multiple vulns aligns with patterns noted during the Weaponized Urgency: The Critical Lessons Behind the Ivanti Sentry Breach campaign.
Why is this a CVSS 9.8? Because the attack complexity is low. It requires no user interaction. An attacker simply writes a payload, sends it to a exposed endpoint, and gets a shell. Because PeopleSoft processes run with high levels of privilege to access backend databases, that single shell is often enough to read every record in the database. Deserialization bugs are notoriously hard to mitigate with simple rules. You can't just filter blocklists of bad words. If the application is designed to ingest serialized objects, the code path is fundamentally vulnerable until the deserialization engine itself is hardened or replaced.
ShinyHunters didn't just write an exploit and sit on it. They weaponized it at scale. Mandiant and independent security researchers tracked this campaign across a massive footprint, identifying over 300 compromised PeopleSoft instances across more than 100 organizations.
Their operational playbook is clean, fast, and automated. Once they successfully exploit the vulnerability on a staging server—frequently looking for PSEMHUB components—they deploy a custom MeshCentral remote management agent. MeshCentral is an open-source, dual-use administration tool. It is perfect for remote support, which is exactly why the attackers chose it. It blends in. To make things worse, they configured these agents to route their command-and-control (C2) traffic in a way that masquerades as legitimate Microsoft Azure services. If your SOC analysts are looking for strange external IPs, they might miss traffic heading to what looks like a benign Azure endpoint, reproducing techniques detailed in Disguising Command-and-Control: How DragonForce Exploits Microsoft Teams Relays.
From this foothold, the actors run discovery scripts. They map the local WebLogic configure files, search for hardcoded database credentials, and list active sessions. They don't stay in the sandbox either. ShinyHunters are known for lateral movement, scraping passwords, and compromising broader directory services. Once they compile the target data, they compress it and push it out to a public infrastructure node at 176.120.22.24. That IP isn't random; it is directly associated with the public ShinyHunters extortion website. If you see outbound connections to that address, you are not about to be breached—you have already been looted.
When Mandiant analyzed the victim list, one metric stood out. A massive 68% of the compromised endpoints belonged to institutions within the higher education sector.
This isn't a coincidence. Universities are broad, decentralized, and host massive treasure troves of personal identifiable information (PII). They have student records, financial files, social security numbers, and intellectual property. At the same time, their IT teams are often overworked, underfunded, and managing a patchwork of legacy systems. The staging server that a departments built four years ago for a system upgrade? It’s probably still running, completely forgotten, but sitting on a public subnet.
This is part of a broader pattern of threat actors turning their sights on academia. We've seen similar vectors where educational platforms are treated as soft entries, such as the Credential Leak at Oxford Career Platform Exposes Third-Party Risks in Higher Ed. When organizations rely on third-party products or legacy systems without continuously auditing access controls, they leave the keys in the door. ShinyHunters knows this. They targeted Instructure Canvas recently, stealing millions of records and forcing a ransom payout because the administrative configurations had gaps. If universities don't start treating their administrative backends with the same security intensity as financial institutions, they will remain the easiest dollar on the extortion market.
This campaign highlights a security failure I see constantly in my work: the staging server exception. Teams spend millions hardening their production environments. They install web application firewalls, set up strict database access policies, and audit application code. Then, they spin up a clone of the environment for testing—labeled PSEMHUB—and leave it completely exposed.
If a staging server has access to the production database, or even if it contains a copy of last month's production tenant data, it is a production asset. Period. Leaving it exposed to the open web tells me your access management strategy has a critical blindspot. We need to implement strict network segmentation. Staging servers should never be accessible from the public internet unless they are behind a VPN or protected by zero-trust network access (ZTNA).
Then there is privileged access management. Why were these scripts able to move laterally so easily? The attackers mapped the configurations and found hardcoded credentials. It’s the oldest trick in the book. If you have administrator passwords hardcoded in your WebLogic XML configs, you are giving the intruder administrator access. Password rotation and secrets management are not optional operations for legacy enterprise suites. We must shift our approach toward a risk-centric model, prioritizing patches based on real-world threat intelligence rather than arbitrary CVSS numbers. You can read more about how this shifting dynamic is reshaping federal guidelines in Shifting to Risk-Centric Patching: How CISA’s New Mandate Impacts Federal Security. We have to stop treating patching as an administrative chore and see it as active combat defense.
Oracle has issued emergency mitigations for CVE-2026-35273, but patching the bug only stops future attempts. It does nothing to evict an attacker already dwelling inside your system. If you run PeopleSoft, you must run a discovery routine right now to verify you aren't compromised.
Start by locking down your public endpoints. Restrict external network access to your PeopleSoft servers immediately.
Next, dig into your log files. You want to audit all access requests targeting the /PSEMHUB/ and /PSIGW/HttpListeningConnector paths. Look for abnormal HTTP POST requests, particularly those with unexpected request payloads or originating from unfamiliar IPs.
You also need to inspect the file systems of your application servers. Specifically, scan WebLogic application directories for unexpected files ending in .jsp. Hackers drop these webshells to ensure they can get back in even after you install Oracle's mitigations. Check your PSEMHUB transaction folders for any binaries or staging files you didn't put there.
Search for the existence of suspicious scratchpad directories—Mandiant noted that directories named logs, persistantstorage, or scratchpad were created by the threat actors to store tools and exfiltrate data. Finally, audit your XML configuration files. Look for external resource definitions or configuration changes modified recently.
Keep an eye out for these known malicious IP addresses associated with scanning or C2 infrastructure in this campaign:
142.11.200.186142.11.200.187142.11.200.188142.11.200.189142.11.200.190108.174.202.99176.120.22.24
If any of these indicators of compromise (IOCs) crop up, treat it as a full-scale security incident. The time for passive monitoring is over. Start hunting.