They didn't break in. They just walked through the door.
It's 2026. We've got AI firewalls, zero-trust architectures, and endpoint detection systems that can spot a keystroke anomaly from a thousand miles away. And yet, a single, unpatched flaw in Oracle's PeopleSoft software let a ransomware gang steal gigabytes of data from a hundred institutions, without so much as a password.
No phishing email. No malware dropper. No credential stuffing. Just a single, stupid, glaringly obvious vulnerability: CVE-2026-35273. A server-side request forgery. A flaw so basic, so embarrassingly common, that it's the kind of thing you'd expect to find in a college student's first web app, except this was running the payroll, admissions, and student records systems of universities, hospitals, and government agencies.
And someone, ShinyHunters, found it.
They didn't even need to guess a password. They didn't need to crack a token. They just sent a request. And because Oracle's PeopleSoft Environment Management Hub had no authentication layer exposed to the public internet, the system answered back. Like a dog wagging its tail when you say its name.
This isn't a zero-day in the glamorous sense. It's not a cryptographic breakthrough. It's not a memory corruption exploit. It's a configuration error. A missed checkbox. A vendor assumption that no one would ever leave this open. And yet, hundreds did. Because it's easier to leave it open. Because someone once said, It's just for internal admins, and then forgot to close it when they moved to the cloud.
ShinyHunters didn't invent anything new. They just exploited the fact that the world is still built on brittle, outdated software that nobody bothers to secure.
And now, they've got 48 gigabytes of student records from the University of Nottingham. And they've got your data, too, if you're still running PeopleSoft and haven't patched.
I've seen this movie before. The same thing happened with Log4j. With SolarWinds. With MOVEit. Every time, we swear we'll learn. Every time, we don't.
This isn't about ShinyHunters. It's about us.
Because if you're still running PeopleSoft in 2026 and you haven't disabled the EMHub interface, you're not a victim. You're a liability.
And someone's already looking at your server.
They just haven't knocked yet.
The Flaw That Shouldn't Have Existed
CVE-2026-35273 isn't a bug. It's a failure.
Oracle's PeopleSoft Environment Management Hub (EMHub) is supposed to be a control panel for system administrators. A place to manage configurations, deploy patches, monitor performance. It's not supposed to be accessible from the outside world. It's not supposed to be reachable by anyone who doesn't have a VPN, a corporate badge, and a signed NDA.
But somewhere along the line, someone decided it was easier to expose it to the internet. Maybe it was for remote access. Maybe it was for legacy integration. Maybe someone just clicked Allow Public Access by accident and never went back.
The vulnerability? No authentication. No session validation. No IP allowlist. Just a web endpoint listening on port 80 or 443, waiting for a request.
An attacker sends a crafted HTTP POST to /emhub/api/v1/config, and the server responds with a full dump of the PeopleSoft environment: database credentials, service accounts, internal network maps, even cached API keys. It's like leaving your house key under the mat and then wondering why someone stole your TV.
Oracle didn't even call it a zero-day when they first found it. They called it a misconfiguration. Which is code for: We knew this could happen. We warned about it. But we didn't force people to fix it.
And now, 100 organizations are paying the price.
The CVSS score? 9.8. The highest possible. Not because it's complex. But because it's catastrophic. A single HTTP request can lead to full system compromise. No need for exploits. No need for privilege escalation. Just a request. And then, boom.
It's the kind of flaw that makes you want to scream.
Because we've seen this before.
And we'll see it again.
Unless we stop pretending that security is someone else's job. For a detailed technical breakdown of this vulnerability, see our analysis: Critical Exploited Zero-Day Found in Oracle PeopleSoft Applications.
The Two-Week Window Nobody Noticed
The attack started on May 27, 2026.
That's when ShinyHunters first began probing PeopleSoft systems across the globe. They weren't random. They were surgical. They scanned for EMHub endpoints. They tested for the vulnerability. They didn't rush. They waited. They mapped.
By June 10, they'd compromised over 300 endpoints across 100 organizations.
And Oracle didn't even know.
Not until Mandiant flagged the unusual outbound SSH traffic to 176.120.22.24, the ShinyHunters data leak site. Not until someone at the University of Nottingham noticed their student portal was suddenly displaying a ransom note.
That's two weeks. Two weeks where the most critical vulnerability of the year was being actively exploited, and the vendor didn't lift a finger.
They didn't issue a patch. They didn't send a warning. They didn't even issue a public advisory.
They issued a mitigation. A band-aid. A suggestion.
Disable the EMHub interface if not needed.
That's it.
No patch. No update. No CVE bulletin. No security alert.
Just a footnote in a PDF.
Meanwhile, ShinyHunters were already inside. They'd deployed MeshCentral agents, renamed to look like Azure services. They'd used bash scripts to map internal systems. They'd found the WebLogic XML configs. They'd identified the financial processing subsystems.
And then they started stealing.
The data wasn't just names and addresses. It was passport numbers. Credit card details. Disability disclosures. Academic records. Financial aid applications. Social Security numbers. The kind of data that doesn't just ruin a person's credit, it ruins their life.
And for two weeks, Oracle sat on their hands.
I don't care if you're a big company. I don't care if you're a university. If you're running PeopleSoft and you didn't disable EMHub by June 1, you're not just negligent. You're complicit.
Because the warning was there.
And you chose to ignore it.
The University of Nottingham Wasn't an Accident
The University of Nottingham didn't get hacked because they were unlucky.
They got hacked because they were typical.
They're a global institution. Campuses in the UK, Malaysia, China. Thousands of students. Hundreds of staff. A sprawling IT infrastructure that's been patched, upgraded, and bolted together over decades.
And somewhere in that mess, someone left EMHub exposed.
When ShinyHunters breached them, they didn't just steal names. They stole identity.
Mandiant confirmed the attackers exfiltrated 48GB of data from Nottingham alone. That's not a typo. That's 48 gigabytes of student records, everything from enrollment history to financial aid applications to medical disclosures.
And they didn't just take it. They published it.
On their dark web leak site, ShinyHunters posted a redacted but still horrifying preview: full names, home addresses, passport numbers, credit card details, even disability status.
This isn't a data breach. It's a digital assault.
And Nottingham isn't alone.
Sixty-eight percent of the 100 targeted organizations were in higher education. Why? Because universities are the perfect targets. They're underfunded. Overextended. They trust their vendors. They assume Oracle knows what they're doing.
But Oracle doesn't know. And neither do most IT departments.
They're not malicious. They're just tired.
They've got 12 different systems to manage. They're short-staffed. They're juggling compliance audits, cybersecurity mandates, and legacy upgrades.
And in that chaos, the EMHub port stays open.
Because nobody noticed.
Because nobody cared.
Until it was too late.
And now, thousands of students are scrambling to freeze their credit. To change their passwords. To wonder if their personal data is already for sale on a dark web forum.
That's the cost of ignoring a 9.8 vulnerability for two weeks.
And it's happening again.
Right now.
To someone else.
Because you still haven't patched. For a deep dive into how this campaign specifically impacted the University of Nottingham, see our breakdown: From Zero-Day to Student Records: Deconstructing the Attack on Nottingham's Database.
The Attack Chain: Simple, Brutal, Effective
The attack wasn't fancy. It was efficient.
Step one: find the EMHub endpoint. A simple port scan. A quick Shodan query. Done.
Step two: send the request. A single HTTP POST to /emhub/api/v1/config. No authentication. No headers. Just the payload. And the server responds with the entire PeopleSoft configuration.
Step three: map the internal network. The attackers used a custom bash script to crawl the XML configs, identify the WebLogic servers, locate the database hosts, and find the financial processing subsystems.
Step four: deploy MeshCentral. They didn't use malware. They used a legitimate remote management tool, MeshCentral, and renamed its files to look like Azure services. The endpoint detection tools? Blind.
Step five: escalate. They used SSH credential spraying to jump from PeopleSoft to other internal systems. They didn't need passwords. They just tried the same credentials they'd pulled from the PeopleSoft configs.
Step six: compress and exfiltrate. They used zstd to compress the stolen data. Fast. Efficient. Small footprint. Hard to detect.
Step seven: send it to 176.120.22.24. The ShinyHunters DLS. A single IP. A single server. A single point of failure.
And then they waited.
They didn't demand payment right away. They waited until they'd stolen enough data from enough victims. Then they sent the extortion emails.
Pay $2 million, or we release the student records.
One organization paid.
We don't know who.
But we know they thought it was cheaper than the lawsuit.
And that's the real tragedy.
The attack was simple. The defense was simple.
Disable EMHub.
That's it.
But nobody did.
Because it's easier to ignore.
Until it's too late.
The Extortion Machine
ShinyHunters didn't just steal data.
They built an extortion machine.
They knew universities would panic. They knew regulators would come down hard. They knew the media would scream. They knew the board of governors would be terrified.
So they didn't just leak the data.
They weaponized it.
They published previews. Redacted, but still horrifying. A student's passport number. A disability disclosure. A credit card last four. Enough to make someone feel violated.
And then they sent the email:
Pay $2 million. Or we release the full dataset.
One organization paid.
We don't know who.
But we know they thought it was cheaper than the lawsuit.
And that's the real tragedy. For a full breakdown of how ShinyHunters turned this zero-day into the biggest university heist of 2026, see: How ShinyHunters Turned a PeopleSoft Zero-Day Into the Biggest University Heist of 2026.
Oracle's Response: A Half-Hearted Gesture
Oracle didn't release a patch.
They released a mitigation.
Disable the EMHub interface if not needed.
That's it.
No update. No CVE bulletin. No security advisory. No email to customers. No alert on their homepage.
Just a footnote in a PDF.
And they did this for two weeks.
Two weeks while ShinyHunters stole 48GB of student data from Nottingham.
Two weeks while other universities were being compromised.
Two weeks while the world waited for someone to act.
And when they finally did? They didn't even call it a zero-day.
They called it a misconfiguration.
That's not a patch. That's a shrug.
It's the same playbook they've used for years. It's not our fault. You misconfigured it.
But here's the truth: if your software has a flaw that can be exploited by anyone on the internet, and you don't patch it, then it's your fault.
You don't get to hide behind misconfiguration when the vulnerability is in your code.
And you don't get to ignore it for two weeks while people's lives are being destroyed.
This isn't just negligence. It's a betrayal.
Because the people who run PeopleSoft aren't hackers. They're professors. They're HR managers. They're IT admins who just want to get through the day.
And Oracle failed them.
Badly.
The Remediation That Should've Been Obvious
The fix is simple.
Disable EMHub.
That's it.
If you're not using it, turn it off.
If you are using it, restrict it to your internal network. No public access. No cloud exposure. No exceptions.
Mandiant and Rapid7 have published IoCs. The IP address of the DLS: 176.120.22.24. The zstd compression pattern. The MeshCentral file names.
But here's the thing: none of that matters.
Because if you leave EMHub exposed, none of the IoCs will save you.
The only real fix is to close the door.
And yet, I bet you're still running PeopleSoft with EMHub exposed.
I bet you think, We've got a WAF. We're fine.
WAFs don't stop this. WAFs don't stop a simple POST request to an unauthenticated endpoint.
This isn't a SQL injection. It's not a buffer overflow. It's not a logic flaw.
It's a missing authentication.
And no WAF in the world will catch that.
So what do you do?
You disable EMHub.
You audit your PeopleSoft instances.
You check every server.
You ask your vendor: Is EMHub exposed?
And if they say No, you verify it yourself.
Because if you don't, you're not just at risk.
You're already compromised.
And you just don't know it yet.
ShinyHunters: The Gang That Never Sleeps
ShinyHunters didn't start with PeopleSoft.
They started with Snowflake.
They breached Ticketmaster through a cloud misconfiguration.
They stole OAuth tokens from Salesforce.
They phished Santander's employees with voice calls.
They've been everywhere. Every major data breach in the last three years has their fingerprints on it.
And now they've got PeopleSoft. And they're not done yet.