Week 25 – Caught in the Web: ShinyHunters Spins a MeshCentral Trap for PeopleSoft

15 – 21 June 2026

Critical vulnerability has been found with the CVSS score of 9.8 in CVE-2026-35273. Our CVE of the Week is about PeopleSoft which is a comprehensive Enterprise Resource Planning (ERP) software suite owned by Oracle Corporation.

PeopleSoft helps large organizations manage their daily business operations, such as human resources, finances, supply chains, and student administration, through integrated, centralized application.

The flaw requires no authentication, no user interaction, and has low attack complexity, allowing a remote threat actor to execute arbitrary code over HTTP.
The exploitation of this vulnerability was observed targeting the Environment Management Hub (PSEMHUB) endpoints.
Successful attacks of this vulnerability can lead to takeover of PeopleSoft.

The campaign is associated with the data leaks of stolen organization data published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.

The notorious ShinyHunters hacker group claimed the responsibility for the exploitation.
The attackers’ staging environments hosted customized MeshCentral agents masquerading as legitimate cloud endpoints, which they used to run administrative command queries and deploy a custom lateral movement and defacement script, [victim]_fanout.sh. It spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT” into PeopleSoft directories.

The infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services. MeshCentral is an open-source remote management server and it was used by the attackers to establish C2 communication and persistency. As a common masquerading tactic, azurenetfiles.net was chosen for C2 to impersonate legitimate Microsoft Azure NetApp Files endpoints. An unconfigured Linux meshagent binary was also staged, suggesting that the threat actors passed parameters dynamically via the command line during deployment.

During the campaign multiple organizations were impacted, most of them in the US.
ShinyHunters stated that the victim outreach has only just started, and it has not posted most of the organizations.

Supported versions that are affected are 8.61 and 8.62.
To mitigate the vulnerability restrict external access and apply oracle patches as available

For more information:
https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.