NAIC Confirms Breach via Critical Oracle PeopleSoft Zero-Day Flaw Exploited by ShinyHunters
ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Insurance Regulators
Impact Scope
People Affected
Not specified
Industries Affected
Related Entities(initial)
Threat Actors
Organizations
Products & Tech
CVE Identifiers
Full Report(when first published)
Executive Summary
The U.S. National Association of Insurance Commissioners (NAIC) has fallen victim to a cyberattack leveraging a critical zero-day vulnerability in Oracle PeopleSoft. The incident is part of a larger campaign attributed to the notorious data extortion group ShinyHunters, which exploited the flaw, tracked as CVE-2026-35273, against more than 100 organizations globally. The vulnerability, which carries a CVSS score of 9.8, allows a remote, unauthenticated attacker to execute arbitrary code on affected systems. The campaign was active for at least 14 days before Oracle released an emergency patch on June 10, 2026. While the NAIC states no personally identifiable information was compromised, the incident highlights the significant risk posed by zero-day exploits in widely used enterprise software.
Vulnerability Details
The core of this attack is CVE-2026-35273, a critical remote code execution (RCE) vulnerability in Oracle PeopleSoft Enterprise PeopleTools.
- CVE ID:
CVE-2026-35273 - CVSS Score: 9.8 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Description: The vulnerability allows an unauthenticated attacker with network access via HTTP to completely compromise the PeopleSoft Enterprise PeopleTools system. The ease of exploitation and lack of authentication make this an extremely dangerous flaw.
Affected Systems
The vulnerability affects the following versions of Oracle PeopleSoft Enterprise PeopleTools:
- PeopleTools 8.61
- PeopleTools 8.62
These versions are used by a wide range of organizations, including government agencies, universities, and large corporations, for managing human resources, finances, and other critical business functions.
Exploitation Status
The vulnerability was actively exploited as a zero-day by the ShinyHunters group. The attack window for the campaign reportedly ran from May 27 to June 9, 2026. This means attackers had at least two weeks to exploit the flaw before Oracle released an out-of-band security alert and patch on June 10. The NAIC detected the breach on June 11. The Federal Bureau of Investigation (FBI) is investigating the broader campaign, which targeted over 100 organizations, with a heavy focus on the higher education sector.
Impact Assessment
For the NAIC, the attackers gained temporary access to data storage areas containing publicly available financial data and credit rating information. The organization asserts that no PII or sensitive banking information was compromised. However, for other victims, the impact could be far more severe. A successful exploit of CVE-2026-35273 gives an attacker full control over the PeopleSoft system. This could lead to:
- Massive Data Theft: Exfiltration of sensitive employee and financial data, including PII, payroll information, and proprietary business data.
- Financial Fraud: Manipulation of financial records or payment systems managed by PeopleSoft.
- Further Intrusion: Use of the compromised PeopleSoft server as a beachhead to pivot deeper into the victim's network.
- Extortion: ShinyHunters is a data extortion group, meaning they steal data and threaten to leak it unless a ransom is paid.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
java.exe or similar application server processcmd.exe, powershell.exe, or sh. This is a strong indicator of RCE.Detection Methods
- Vulnerability Scanning: Use vulnerability scanners with updated plugins to identify PeopleSoft instances running the vulnerable versions (8.61, 8.62).
- Log Analysis: Review web server access logs for PeopleSoft systems for any requests from unknown or suspicious IP addresses, especially around the exploitation timeframe (late May to early June 2026). Look for requests that resulted in errors or had unusual parameters.
- Endpoint Monitoring: Deploy EDR on PeopleSoft servers to detect suspicious process creation, such as the application server spawning a shell. This aligns with D3FEND's
D3-PA - Process Analysis.
Remediation Steps
- Immediate Patching: Apply Oracle's out-of-band security patch for CVE-2026-35273 immediately to all affected PeopleSoft Enterprise PeopleTools instances. (MITRE Mitigation:
M1051 - Update Software) - Assume Compromise: If you were running a vulnerable version during the exploitation window, assume the system was compromised. Initiate a full incident response investigation.
- Hunt for Malicious Activity: Scrutinize logs and server files for any signs of unauthorized access, web shells, or newly created user accounts.
- Isolate Systems: If patching cannot be done immediately, restrict access to the PeopleSoft application from the internet or limit it to trusted IP addresses as a temporary compensating control. (MITRE Mitigation:
M1035 - Limit Access to Resource Over Network) - Review Access: Audit all user accounts and privileges within the PeopleSoft application, looking for any unauthorized changes.
Timeline of Events
Article Updates
June 29, 2026
ShinyHunters claimed 3.1TB data theft from NAIC, including AWS config files, and subsequently leaked the data after ransom demands were not met.
Update Sources:
MITRE ATT&CK Mitigations
Update Software
Applying the emergency patch from Oracle is the primary and most effective way to remediate this vulnerability.
Restricting internet access to the PeopleSoft application server can serve as a crucial compensating control if patching is delayed, reducing the attack surface.
Running the PeopleSoft application in an isolated environment can help contain a breach and prevent an attacker from pivoting to other parts of the network.
Behavior Prevention on Endpoint
Using an EDR to monitor the PeopleSoft server for anomalous behavior, like spawning shells, can detect exploitation even without a specific signature.
D3FEND Defensive Countermeasures
The definitive countermeasure for CVE-2026-35273 is to apply the security update provided by Oracle. Given the critical 9.8 CVSS score and active exploitation by groups like ShinyHunters, this patch must be treated as an emergency. Organizations should activate their emergency patching procedures, bypassing standard testing cycles for this specific update on internet-facing PeopleSoft systems. A robust asset inventory is crucial to ensure all instances of PeopleTools 8.61 and 8.62 are identified and patched. This incident underscores the need for a mature vulnerability management program that can react swiftly to out-of-band patches for critical, internet-exposed applications.
As a compensating control and defense-in-depth measure, organizations should deploy a Web Application Firewall (WAF) in front of their Oracle PeopleSoft applications. A WAF can be configured with virtual patching rules to block exploit attempts against CVE-2026-35273, even before the official patch is applied. These rules would inspect incoming HTTP requests for patterns indicative of the exploit 'gadget chain' used by ShinyHunters. This provides a critical layer of protection for zero-day vulnerabilities, buying time for defenders to test and deploy the official vendor patch. After patching, the WAF continues to provide value by protecting against future, unknown vulnerabilities.
Since CVE-2026-35273 results in remote code execution, a key detection strategy is to monitor the processes on the PeopleSoft application server. An EDR agent should be deployed on these servers to baseline normal process activity. The exploit would cause the main PeopleSoft process (e.g., java.exe or a Tuxedo process) to spawn an anomalous child process, such as cmd.exe, powershell.exe, or /bin/sh. This is highly suspicious behavior for an application server. Configuring EDR to immediately alert on and/or block such process chains provides a high-fidelity detection of successful exploitation, enabling rapid incident response to contain the breach.
Timeline of Events
The ShinyHunters campaign exploiting CVE-2026-35273 reportedly begins.
The main exploitation window for the campaign ends.
Oracle releases an out-of-band security patch for CVE-2026-35273.
The NAIC identifies the breach of its systems.
The NAIC publicly confirms the cyberattack.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.