The attack leveraged CVE-2026-35273, a critical vulnerability with a CVSS score of 9.8. The flaw exists in the Updates Environment Management (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. It allows attackers to move from an unauthenticated Server-Side Request Forgery (SSRF) attack to full Remote Code Execution (RCE) without requiring user interaction or authentication. Because the vulnerability can be exploited over standard HTTP, any exposed and unpatched server is at significant risk.
Oracle released an emergency security update on June 10, 2026, to address the flaw. Two days later, the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation.
According to security researchers at Mandiant and Google’s Threat Intelligence Group (GTIG), the ShinyHunters group began exploiting the vulnerability as early as May 27, 2026—more than two weeks before Oracle publicly disclosed the issue. During that period, attackers reportedly compromised more than 300 Oracle PeopleSoft instances across over 100 organizations using automated attack tools.
Breach notifications submitted to the California Attorney General’s Office revealed that Nissan Americas was among the organizations impacted during the wider campaign. The company's investigation found that the intrusion occurred between May 27 and June 9, 2026.
The compromised information may include employee contact details, banking information, Social Security Numbers (SSN), Social Insurance Numbers (SIN), National Identification Numbers, financial and tax records, as well as dependent and beneficiary information. The incident affects both current and former employees in the U.S., Canada, Mexico, and Brazil.
Following the discovery of the breach, Nissan activated its incident response procedures, brought in external cybersecurity experts, and coordinated with law enforcement agencies. As part of its containment measures, the company limited payroll system access, allowing employees to view pay slips and modify direct deposit details only through corporate network computers or secure VPN connections. Additional identity verification measures have also been introduced for payroll-related requests. Nissan said it is providing complimentary credit monitoring and dark web monitoring services to eligible affected individuals.
Mandiant's investigation found that attackers installed MeshCentral remote management agents on compromised systems while disguising them as legitimate Microsoft Azure services, including meshagent64-azure-ops.exe. Command-and-control communications were routed through wss://azurenetfiles[.]net:443/agent.ashx.
The attackers also carried out post-compromise activities such as reviewing PeopleSoft configurations, moving laterally across networks, and compressing stolen data using zstd before exfiltration. Infected servers were left with a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Cybersecurity firms Rapid7 and Mandiant have urged organizations running Oracle PeopleTools 8.61 or 8.62 to immediately apply Oracle’s security updates. They also recommend disabling or restricting access to the PSEMHUB service, blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector, monitoring outbound SMB traffic for potential NetNTLM hash capture attempts, investigating systems for signs of compromise even after patching, and rotating credentials that may have been exposed.
The incident represents the second major Oracle ERP zero-day vulnerability with a CVSS score of 9.8 to be actively exploited in less than eight months. It follows the exploitation of CVE-2025-61882 in Oracle E-Business Suite by the Cl0p ransomware group in 2025, highlighting the growing focus of organized cybercriminal groups on enterprise resource planning (ERP) platforms.