Published on June 30, 2026
Nissan Confirms Data Breach Following Oracle PeopleSoft 0-Day Attacks
Severity
High
Detail
Nissan Americas has confirmed a data breach affecting current and former employees after threat actors exploited a critical zero-day vulnerability in Oracle PeopleSoft software. The campaign has been attributed to the ShinyHunters (UNC6240/Bling Libra) cybercrime group, which targeted vulnerable Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances using CVE-2026-35273, a critical Server-Side Request Forgery (SSRF) to Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8.
The vulnerability allows unauthenticated attackers to execute arbitrary code remotely over HTTP without requiring user interaction. Exploitation reportedly began before Oracle released its emergency security patch, compromising more than 300 PeopleSoft instances across over 100 organizations worldwide.
Nissan stated that the breach occurred between May 27 and June 9, 2026, potentially exposing sensitive employee information, including contact details, banking information, national identification numbers, tax records, and beneficiary information for employees in the United States, Canada, Mexico, and Brazil.
How?
Threat actors exploited the CVE-2026-35273 vulnerability in Oracle PeopleSoft’s Updates Environment Management (PSEMHUB) component to gain unauthenticated remote access to vulnerable servers. Once access was established, the attackers deployed remote management tools disguised as legitimate Microsoft Azure services to maintain persistence. They then performed internal reconnaissance, moved laterally across the environment, and exfiltrated sensitive employee data using compressed archives.
Compromised systems were marked with a ransom note file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED[.]TXT, indicating the attack was part of an extortion campaign. The attackers also used attacker-controlled infrastructure to communicate with infected systems and facilitate data theft.
Key Indicators of Compromise (IOCs)
| Type | Indicator | Description |
| IP | 142.11.200[.]186–190 | Staging/C2 infrastructure |
| Domain | azurenetfiles[.]net | C2 masquerading as Azure |
| SHA-256 | f02a924c9ff92a8780ce812511341182… | meshagent64-azure-ops.exe |
| URL Path | /PSEMHUB/hub | Exploitation endpoint |
| URL Path | /PSIGW/HttpListeningConnector | SSRF exploitation endpoint |
| File | README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Extortion marker |
Mitigation
Organizations running PeopleTools 8.61 or 8.62 should should implement the following mitigation measures:
- Disable or restrict the PSEMHUB service and block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter.
- Monitor outbound SMB traffic (TCP/445) from PeopleSoft servers for external NetNTLM hash capture attempts.
- Hunt for indicators of compromise (IOCs) even after applying patches, as exploitation began approximately two weeks before Oracle released its security advisory.
- Rotate all credentials that may have been accessible from potentially compromised PeopleSoft instances.
Source
