The Flaw That Broke the Back Office
Oracle PeopleSoft isn’t glamorous. It doesn’t run your phone or your car. But if you’ve ever been paid by a university, hospital, or automaker, it’s probably the system that printed your paycheck. And last month, that system cracked open like a rotten walnut.
CVE-2026-35273 isn’t just another vulnerability. It’s a 9.8 CVSS nuclear bomb in a room full of sleeping guards. Unauthenticated. Remote code execution. No login. No password. Just a ping—and suddenly, your HR database is someone else’s open notebook.
Oracle didn’t wait for the press. They didn’t issue a patch. They dropped emergency mitigations like a fire extinguisher on a gasoline spill. The message was clear: this isn’t theoretical. It’s already in the wild.
And the wild? It’s ShinyHunters.
They’re not your typical ransomware crew. They don’t encrypt files. They don’t lock you out. They steal. And they leak. And they don’t care if you pay. They care if you’re embarrassed.
I’ve seen this before. The same gang hit Instructure Canvas last year, stole 280 million student records, and made Instructure pay up. But this? This was different. This wasn’t a school portal. This was the spine of American enterprise: payroll, tax forms, insurance filings, employee SSNs, bank accounts, dependent records—everything that makes a company run, and everything that makes a life vulnerable.
The first wave hit Nottingham University. Then Nissan. Then the NAIC. And then the silence. Because when the people who run your benefits, your pension, your taxes get breached, nobody wants to talk.
But we should.
Because if you think your HR department is secure because it’s "on-prem," you’re already compromised.
This flaw didn’t need a phishing email. It didn’t need a click. It just needed to be online.
And it was.
Thousands of times.
We’ll get to who’s responsible. But first—how did they do it?
The Gadget Chain: When Old Bugs Become New Weapons
ShinyHunters didn’t invent this. They didn’t even find the flaw. They just knew where to look.
The CVE-2026-35273 vulnerability lives in PeopleTools 8.61 and 8.62. It’s a deserialization flaw buried deep in the HTTP listener connector. But here’s the kicker: Oracle had already patched this exact class of flaw in 2024. So why did it still work?
Because nobody updated.
Enterprise software is a graveyard of half-mended systems. Universities still run PeopleSoft 8.61 because upgrading means retraining 200 HR staff and rewriting 17 custom integrations. Hospitals keep it because the vendor won’t support the migration. And Nissan? They had it on a private network. Until someone opened a port for remote payroll access.
ShinyHunters didn’t need a new exploit. They needed a map.
They started with the same IPs we’ve seen before: 142.11.200.186–190, 108.174.202.99, 176.120.22.24. Those aren’t random. They’re staging servers. And on them? Not malware. Not ransomware. Just… tools.
MeshCentral agents. The same remote desktop tool used by legitimate IT teams. But here, it was repurposed to look like an Azure service. That’s not clever. That’s lazy. And that’s why it worked.
They didn’t brute-force credentials. They didn’t crack passwords. They didn’t need to.
They found the .bash_history files on exposed servers. And there, in plain text, were the commands:
ssh [email protected]
ssh [email protected]
ssh [email protected]
And then the script:
for host in $(cat /etc/hosts | grep -i peoplesoft); do
ssh -i /keys/psoft.key $host "echo 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' > /opt/oracle/psft/pt/8.62/webserv/peoplesoft/htdocs/"
done
It wasn’t even a script. It was a note. A postcard. A signature.
And it worked.
Because nobody changed the default credentials. Nobody rotated the SSH keys. Nobody even knew those servers were exposed.
The vulnerability? A zero-day.
The breach? A failure of basic hygiene.
And ShinyHunters? They just showed up with a key that was still hanging under the mat.
The Fallout: When Payroll Becomes a Public Record
Let’s be honest: most of us don’t care about PeopleSoft. Until it’s our data.
Nissan’s breach notification was clinical. "Employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information." That’s not a data leak. That’s a life exposed.
Think about it. Your SSN. Your bank account. Your kid’s name. Your spouse’s medical plan. All of it, stored in a system no one ever thought to secure.
And now? It’s on a leak site. Downloaded. Indexed. For sale.
Not to criminals. To recruiters. To identity thieves. To insurers who want to know who’s likely to file a claim. To political operatives who want to know who’s earning what.
The NAIC didn’t lose your data. They lost regulatory data. But here’s the twist: ShinyHunters claimed 3.1 TB of files. 105,000 documents. 264,000 insurance filings from 2017 to 2024.
NAIC said: "Only public data. Outdated logs. Nothing sensitive."
ShinyHunters said: "We verified it with a human. This is accurate."
And here’s the real horror: they might both be right.
The data NAIC called "public" is still confidential. It’s not your SSN. But it’s your insurer’s financial health. It’s the actuarial models they use to set your premiums. It’s the internal notes about why your claim was denied. It’s the audit trails that regulators use to catch fraud.
And now? It’s public.
And the worst part? It’s not even the data that’s dangerous.
It’s the trust.
When a university admits their HR system was breached, parents stop trusting them. When Nissan admits their payroll was stolen, employees start looking for jobs. When the NAIC admits their regulatory data was exposed, states lose faith in federal oversight.
This isn’t a breach. It’s a fracture.
And it’s happening in the quiet places.
Not in Silicon Valley.
Not in the cloud.
In the server room behind HR.
Where no one ever thought to look.
The Mandiant Report: The Real Target Wasn’t the System
Mandiant didn’t just confirm the attack. They mapped it.
And what they found was chilling.
68% of the targeted organizations? Higher education.
Why?
Because universities are the most poorly secured enterprise systems on the planet.
They have hundreds of departments. Dozens of legacy systems. Budgets that haven’t changed since 2010. And a culture that treats security like a compliance checkbox.
They’re also the most likely to have PeopleSoft running on a server that hasn’t been patched since the Obama administration.
Mandiant found attackers probing for /PSEMHUB/ and /PSIGW/HttpListeningConnector. Those aren’t attack vectors. Those are doors. And they were wide open.
They found .jsp webshells in WebLogic directories. Not because they were clever. Because they were lazy. And because no one had ever deleted the default demo files.
They found MeshCentral agents masquerading as Azure services. Again—not because it was sophisticated. Because it was plausible. And no one was watching.
The real story here isn’t the zero-day. It’s the zero vigilance.
The attackers didn’t need to be geniuses. They just needed to be patient.
They scanned. They waited. They found the one server that hadn’t been updated since 2021. They dropped their shell. They copied the data. And they moved on.
And no one noticed.
Until the leak site went live.
And then? Everyone panicked.
But here’s the truth: if you’re running PeopleSoft on the internet, you were already compromised. The zero-day just gave them a clean entry.
The real failure? We thought security was about patches.
It’s not.
It’s about awareness.
And nobody was looking.
What You Can Do: Stop Waiting for a Patch
Let me be blunt: if you’re still running PeopleSoft 8.61 or 8.62, and you haven’t applied Oracle’s emergency mitigations, you’re already compromised.
But here’s the thing: patches won’t save you.
Not if you’re still exposing those endpoints to the internet.
Not if you’re still using default credentials.
Not if you’re still letting SSH keys sit on a server with no logging.
Here’s what you do:
-
Block the IPs. 142.11.200.186–190, 108.174.202.99, 176.120.22.24. If you’re seeing traffic from these, you’re being probed. Block it. Now.
-
Audit your PeopleSoft instances. Are they internet-facing? If yes, shut them down. If you need remote access, use a VPN. Not a port forward.
-
Check your SSH keys. Did anyone ever change the default psoft, oracle, or linuxadm keys? If not, assume they’re compromised. Rotate them. All of them.
-
Look for .jsp files. In your WebLogic directories. In your PSEMHUB folders. If you see them, you’re infected. Don’t just delete them. Rebuild the server.
-
Log everything. If you’re not logging requests to /PSEMHUB/ and /PSIGW/HttpListeningConnector, you’re flying blind. Start now.
And stop thinking this is an Oracle problem.
It’s not.
It’s yours.
Because security isn’t about vendors. It’s about you.
You’re the one who approved the budget. You’re the one who said "we’ll patch next quarter." You’re the one who let the server stay online because "it’s just HR."
This isn’t a zero-day.
It’s a zero-effort.
And it’s still happening.
Right now.
In your organization.
And no one’s looking.