Let me tell you about the day the University of Nottingham stopped being a university and became a data warehouse for criminals.
It wasn’t a fire drill. No one screamed. No alarms blared. The breach didn’t even make the morning news until someone noticed their student ID card was suddenly linked to a public leak site. That’s the thing about this kind of attack — it doesn’t announce itself. It just… happens. And when it does, you’re already too late.
This wasn’t a phishing email. No one clicked a bad link. No intern downloaded malware. The attackers didn’t need to trick anyone. They just typed a URL into a script and hit enter.
CVE-2026-35273. That’s the name of the flaw. A remote code execution vulnerability in Oracle PeopleSoft’s Environment Management Hub — a piece of software most campuses didn’t even know they were running. And because it was exposed to the internet — because someone, somewhere, thought "it’s just internal" — the entire system collapsed like a house of cards.
I’ve written about dozens of breaches. This one? This one felt personal. Not because I knew someone at Nottingham. But because I’ve sat in enough university IT offices to know what this means. A single unauthenticated endpoint. A zero-day. And 454,600 lives turned into a commodity.
We’re not talking about credit card numbers here. We’re talking about passport numbers. Immigration records. Health data. Academic transcripts. Dates of birth. The kind of information that doesn’t just get sold — it gets weaponized. For years. By someone who doesn’t care if you’re 19 or 72.
And here’s the kicker: this wasn’t even the first time. ShinyHunters did this to Snowflake. To Salesforce. To Instructure. They’re not hackers. They’re logistics operators. They find a platform used by thousands, automate the exploit, and move on. And universities? We’re their favorite target.
Why? Because we’re slow. We’re underfunded. We assume the vendor has it covered. And we forget — every time — that when you’re running enterprise software on a budget of $200k a year, you’re not securing a system. You’re just hoping it doesn’t break.
Let’s break this down. Not because you need to be a sysadmin. But because you need to understand what happened — so you don’t let it happen again.
The Flaw That Wasn’t a Flaw — It Was a Default
PeopleSoft isn’t some obscure tool. It’s the backbone of your registrar’s office, your financial aid department, your HR system. It’s the thing that processes tuition payments, stores your thesis, and tracks your immunization records. And somewhere in that system, buried under layers of legacy code, was the Environment Management Hub — or PSEMHUB.
It’s meant to be internal. It’s meant to be behind a firewall. But in practice? In 2026, it was exposed to the public internet on 300+ campuses. Why? Because someone set it up for a one-time integration, forgot about it, and never closed the port.
CVE-2026-35273 exploited a deserialization flaw in the PSEMHUB component. No login. No password. No session cookie. Just an HTTP POST request to /PSEMHUB/hub and you’re in. Full system access. Root-level privileges. Oracle’s own advisory called it "remotely exploitable without authentication." They didn’t sugarcoat it. They didn’t bury it in a footnote. They said it plainly: you can be hacked from anywhere, without ever touching a keyboard.
And that’s what ShinyHunters did. Between May 27 and June 9, 2026, they scanned the internet for exposed endpoints. Automated. Efficient. Relentless. They didn’t care if you were Harvard or a community college in Nebraska. If your PeopleSoft instance was listening on port 80 or 443, you were on their list.
I asked a former Oracle engineer once: "Why didn’t you make authentication mandatory?" His answer: "We assumed no one would expose it." That’s not security. That’s wishful thinking.
And now, 454,600 students are paying the price for that assumption.
The Ghost in the Machine: How ShinyHunters Lived in the System
Once they got in, they didn’t just grab data. They moved like ghosts.
They didn’t use malware. They used MeshCentral — an open-source remote management tool. The kind IT departments use to fix laptops remotely. But ShinyHunters? They renamed the executable to meshagent64-azure-ops.exe. Suddenly, it looked like a Microsoft Azure service. A legitimate cloud tool. And because most network monitoring tools are trained to trust Azure traffic, it slipped right through.
They didn’t need to brute force passwords. They didn’t need to crack encryption. They just opened the psappsrv.cfg file — the PeopleSoft process scheduler config — and found the database credentials hardcoded inside. Plain text. No encryption. No rotation. Just sitting there, like a key under the mat.
Then they ran their script: [victim_abbreviation]_fanout.sh. A simple shell script that read /etc/hosts, looked for internal nodes, and tried to SSH into every one using a list of default credentials: psoft, oracle, linuxadm. If one worked — and it usually did — they dropped a file: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT. Not to threaten. Not to demand ransom. Just to mark territory. Like a dog peeing on a fire hydrant.
They didn’t even bother encrypting the data they stole. They compressed it with zstd — a fast, open-source algorithm — and shoved it onto a public server at 176.120.22.24. A clearnet mirror of their leak site. No Tor. No dark web. Just a public IP. And for a week, anyone could download the entire student database of Nottingham.
I’ve seen ransomware gangs hide their data for months. ShinyHunters didn’t care about hiding. They wanted you to see it. They wanted you to feel the shame. And they wanted the world to know: your university isn’t safe. Your data isn’t sacred. You’re just a target with a mailing list.
And here’s the worst part — they didn’t even have to get lucky. They just had to be patient. And we were too busy to notice.
The University That Wasn’t Ready
Let’s be honest: universities aren’t designed to be secure. We’re designed to be open.
We want research to be shared. We want students to access grades from anywhere. We want alumni to donate online. We want faculty to collaborate across continents. And in the name of convenience, we’ve turned our systems into open-air markets.
When Mandiant reached out to over 100 institutions after detecting the scanning, 68% were higher education. That’s not a coincidence. That’s a pattern. And it’s not because universities are stupid. It’s because we’re under-resourced. We have 500,000 students and 12 IT staff. We patch once a quarter. We don’t monitor logs. We don’t run red teams. We assume if it’s from Oracle, it’s safe.
The University of Nottingham didn’t even know they were compromised until the data was already public. No alerts. No SIEM triggers. No one noticed the outbound traffic to azurenetfiles.net. Because it looked like Azure. Because it was encrypted. Because we stopped trusting our own systems.
And now? Now, those 454,600 students have to live with the fact that their passport numbers, health records, and academic transcripts are out there. Forever. On a dark web forum. In a hacker’s database. In someone’s ransomware toolkit.
We don’t have a word for this kind of betrayal. We don’t have a policy for it. We don’t have a budget for it. And we’re still doing it to other campuses.
I talked to a CIO at a mid-sized university last week. "We’ve got PeopleSoft," he said. "But we don’t use the EMHub. So we’re fine." I asked him: "When was the last time you scanned for exposed endpoints?" He paused. "We don’t do that." I didn’t ask again.
That’s the problem. We’re not protecting our systems. We’re just hoping they don’t get hacked.
What You Can Do — Right Now
I’m not going to tell you to patch. You know you need to patch. Oracle released an out-of-band fix on June 10. You’ve got it. You just haven’t installed it.
Here’s what you actually need to do:
-
Block
/PSEMHUB/*and/PSIGW/HttpListeningConnectorat your firewall. Not your WAF. Your firewall. If you’re not sure where these endpoints are, run a scan. Now. Don’t wait for someone to tell you. -
Hunt for the ghosts. Look for
meshagent64-azure-ops.exeon any server that runs PeopleSoft. Look for directories namedlogs,persistantstorage, orscratchpadin your PSEMHUB installation folder. Look for.jspfiles you didn’t put there. If you find them, assume you’re compromised. Shut it down. Call your incident response team. -
Rotate every hardcoded credential. Find every
psappsrv.cfg, everyconfig.xml, everyweblogic.properties. If you see a password in plain text — change it. Immediately. And don’t just change it — rotate it across every system. This isn’t a one-time fix. It’s a culture change. -
Audit your vendors. If you use a third party to manage your PeopleSoft system — and most of you do — demand proof they’ve patched. Not a checklist. Not an email. Proof. Logs. Screenshots. A vulnerability scan. If they can’t give it to you, fire them.
-
Stop treating staging environments as safe. That server you spun up for testing in 2021? It’s still running. It’s still exposed. And it’s still vulnerable. Treat every server like it’s production. Because in 2026, it is.
This isn’t about technology. It’s about accountability. It’s about admitting that we’ve been negligent. That we’ve traded security for convenience. That we’ve assumed the vendor had our back.
And now, 454,600 students are paying the price.
So here’s my challenge: the next time someone says "it’s just internal," ask them: "Who’s going to tell the student whose passport number is now on a dark web forum?"
Because you’re not just protecting a system. You’re protecting a person.
And if you’re not doing that? You’re not a university. You’re just a data broker with a diploma.