Published on June 30, 2026

Nissan Confirms Data Breach Following Oracle PeopleSoft 0-Day Attacks


Severity

High

Detail

Nissan Americas has confirmed a data breach affecting current and former employees after threat actors exploited a critical zero-day vulnerability in Oracle PeopleSoft software. The campaign has been attributed to the ShinyHunters (UNC6240/Bling Libra) cybercrime group, which targeted vulnerable Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances using CVE-2026-35273, a critical Server-Side Request Forgery (SSRF) to Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8.

The vulnerability allows unauthenticated attackers to execute arbitrary code remotely over HTTP without requiring user interaction. Exploitation reportedly began before Oracle released its emergency security patch, compromising more than 300 PeopleSoft instances across over 100 organizations worldwide.

Nissan stated that the breach occurred between May 27 and June 9, 2026, potentially exposing sensitive employee information, including contact details, banking information, national identification numbers, tax records, and beneficiary information for employees in the United States, Canada, Mexico, and Brazil.

How?

Threat actors exploited the CVE-2026-35273 vulnerability in Oracle PeopleSoft’s Updates Environment Management (PSEMHUB) component to gain unauthenticated remote access to vulnerable servers. Once access was established, the attackers deployed remote management tools disguised as legitimate Microsoft Azure services to maintain persistence. They then performed internal reconnaissance, moved laterally across the environment, and exfiltrated sensitive employee data using compressed archives.

Compromised systems were marked with a ransom note file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED[.]TXT, indicating the attack was part of an extortion campaign. The attackers also used attacker-controlled infrastructure to communicate with infected systems and facilitate data theft.

Key Indicators of Compromise (IOCs)

TypeIndicatorDescription
IP142.11.200[.]186–190Staging/C2 infrastructure
Domainazurenetfiles[.]netC2 masquerading as Azure
SHA-256f02a924c9ff92a8780ce812511341182…meshagent64-azure-ops.exe
URL Path/PSEMHUB/hubExploitation endpoint
URL Path/PSIGW/HttpListeningConnectorSSRF exploitation endpoint
FileREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTExtortion marker

Mitigation

Organizations running PeopleTools 8.61 or 8.62 should should implement the following mitigation measures:

  • Disable or restrict the PSEMHUB service and block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter.
  • Monitor outbound SMB traffic (TCP/445) from PeopleSoft servers for external NetNTLM hash capture attempts.
  • Hunt for indicators of compromise (IOCs) even after applying patches, as exploitation began approximately two weeks before Oracle released its security advisory.
  • Rotate all credentials that may have been accessible from potentially compromised PeopleSoft instances.

Source

https://cybersecuritynews.com/nissan-confirms-data-breach/