Inside the University of Nottingham Breach: ShinyHunters and the Oracle PeopleSoft Campaign

A Cytidel threat intelligence analysis

We track campaigns like this one because the way an incident is first described publicly is rarely the way it should be understood. The University of Nottingham's breach is a good example: the public account is accurate but incomplete, and the gap between "what was disclosed" and "what actually happened" is exactly the space threat intelligence is meant to close. This is our read of the incident and what it means for organisations running the same software — written for defenders.

On 12 June 2026 the University of Nottingham confirmed that an attacker had exploited a vulnerability in Oracle WebLogic to reach its Campus Solutions student records platform, accessing the personal data of students, alumni and applicants. The university's statement is careful and accurate, but by design it names neither the specific vulnerability nor the actor responsible.

The wider campaign reporting fills in both. Nottingham is one confirmed victim of a mass compromise-and-extortion operation against Oracle PeopleSoft, attributed to the group ShinyHunters and built on a critical PeopleSoft zero-day. Here is what is known, how the pieces fit, and how we'd read the incident.

The bottom line up front

• The Nottingham breach is one confirmed victim of a mass compromise-and-extortion campaign against Oracle PeopleSoft, run by the group ShinyHunters (tracked by Google's Mandiant as UNC6240).
• The root-cause vulnerability is CVE-2026-35273 — an unauthenticated remote code execution flaw in PeopleSoft PeopleTools. The "WebLogic" in the university's statement is the application-server layer the exploit lands on, not the bug itself.
• ShinyHunters claimed the Nottingham breach directly, published the stolen data to their leak site, and Mandiant independently attributed the campaign to UNC6240. Attribution is well-evidenced at the campaign-cluster level.

What the university disclosed

The university identified unauthorised activity in its Campus Solutions platform on 9 June 2026 and pulled the affected systems offline. Its public statement attributes the intrusion to an external threat actor exploiting an Oracle WebLogic vulnerability that supported Campus Solutions, enabling unauthorised remote code execution. It notes the system sits in an isolated environment run by a third-party provider, and that Microsoft 365, OneDrive, email, Teams and Moodle were unaffected. The incident was reported to the ICO, NCSC, OfS, UCAS and Action Fraud.

External reporting adds the scale the statement does not. ShinyHunters published roughly 40GB of Nottingham data to their leak site on 9 June — the same day the university spotted the activity — reportedly after the institution declined to pay. Have I Been Pwned subsequently counted around 455,000 unique email addresses in the leaked set.

The exposed records reportedly include names, home addresses, phone numbers, passport numbers, and in many cases ethnicity and disability information, spanning current and former students across the UK, Malaysia and China campuses. Nottingham was the first publicly confirmed victim of the campaign, and the second UK university to disclose a breach in that window after the University of Oxford.

The actor: ShinyHunters / UNC6240

Mandiant and Google Threat Intelligence Group attribute the PeopleSoft campaign to UNC6240, the cluster better known by its brand name ShinyHunters. This is a financially motivated data-theft-and-extortion operation that has been active since 2019. Mandiant characterises ShinyHunters not as a single unified group but as multiple threat clusters operating under a shared brand — a useful distinction when reasoning about consistency of tradecraft across their campaigns.

The university's careful phrasing — "a well-known cybercriminal group that also targeted a number of other organisations" — maps cleanly onto ShinyHunters' recent activity. The group spent early 2026 attacking Salesforce environments through social engineering and voice phishing (the 7-Eleven breach among them), and in mid-May 2026 extracted data tied to hundreds of millions of students, teachers and staff from the Instructure Canvas learning platform. The PeopleSoft campaign is the next iteration of the same playbook: pick a platform deployed across hundreds of organisations, build automation against a critical flaw, exploit at scale, then monetise the stolen data through extortion. They even attempted — and, by their own account, failed — to breach an FBI PeopleSoft portal.

The campaign ran from 27 May to 9 June 2026, predating Oracle's advisory by two weeks. Mandiant notified more than 100 organisations whose internet-facing endpoints correlated with the attack. ShinyHunters claimed roughly 300 vulnerable PeopleSoft instances across those 100-plus organisations, of which 68% were in higher education, the majority in the United States. Exfiltrated data was ultimately staged to infrastructure (176.120.22[.]24) tied to the ShinyHunters leak site — one of the threads that links the technical campaign to the extortion brand.

Attribution confidence: HIGH for the ShinyHunters / UNC6240 operational cluster. The actor self-claimed the Nottingham breach, the stolen data was published on ShinyHunters' own leak site, and Mandiant independently attributed the campaign to UNC6240 with corroborating infrastructure and IOC overlap. The caveat is that ShinyHunters is best understood as a brand and ecosystem rather than a single fixed crew — and ShinyHunters-branded claims and victim communications have at times been subject to impersonation. The confidence therefore attaches to the campaign cluster and its extortion infrastructure, not to named individuals behind the keyboard.

The vulnerability: CVE-2026-35273 (and why "WebLogic" is a layer, not the bug)

The vulnerability at the centre of the campaign is CVE-2026-35273, a critical (CVSS 9.8) flaw in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. It is remotely exploitable without authentication and without user interaction, and Oracle's own out-of-band advisory (published 10 June 2026) confirms it may result in remote code execution. The bug lives in the Updates Environment Management component — specifically the Environment Management Hub (PSEMHUB) — and the underlying weakness was classified by the reporting researchers (TrendAI / Zero Day Initiative) as a server-side request forgery (CWE-918). CISA added it to the KEV catalogue on 12 June 2026 on evidence of active exploitation.

This is the detail most likely to be misread. The university says WebLogic; the actual CVE is in PeopleTools. Those are not in conflict.

PeopleSoft's web and application tier — the PeopleSoft Internet Architecture — runs on Oracle WebLogic. A PeopleTools exploit therefore executes on WebLogic, and that is exactly where the forensic artefacts surface. Mandiant's indicators describe JSP webshells dropped into WebLogic application directories, attacker reconnaissance that reads WebLogic config.xml files, and WebLogic access logs showing the malicious POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector. From the vantage point of an administrator looking at WebLogic logs and a WebLogic-hosted application being compromised, "an Oracle WebLogic vulnerability allowed RCE" is a defensible — if architecturally imprecise — description of a PeopleTools/PSEMHUB exploit. The university's third-party provider almost certainly characterised it at the layer where the damage was visible.

The practical implication for defenders: the thing to find and fix is the PeopleTools/PSEMHUB exposure, not a generic WebLogic patch.

The attack chain

For defenders, the campaign's tradecraft is well-documented and worth internalising. Working from Mandiant's reporting and analysis of the attackers' exposed tooling, the pattern looks like this:

1. Initial access via CVE-2026-35273 against the Environment Management Hub — unauthenticated HTTP requests to /PSEMHUB/* and /PSIGW/HttpListeningConnector. The underlying SSRF weakness lets an attacker coerce the server into making requests to internal or loopback addresses, so exposure is not limited to instances that are directly internet-facing.
2. Persistence through JSP webshells written into WebLogic application directories, and modified XML files under envmetadata/data/environment/ set up for XMLDecoder persistence that fires on the next service restart.
3. Command and control via MeshCentral agents (the campaign installed MeshCentral v1.1.59) masquerading as legitimate cloud endpoints, including the domain azurenetfiles.net.
4. Reconnaissance and credential theft using the meshctrl.js CLI to read the PeopleSoft application server config (psappsrv.cfg, which holds database credentials) and WebLogic config.xml.
5. Lateral movement via a custom [victim]_fanout.sh script performing SSH credential spraying against internal hosts parsed from /etc/hosts, targeting common service accounts (psoft, oracle, linuxadm), with a defacement/extortion marker file (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) dropped along the way.
6. Exfiltration, including outbound SMB (TCP 445) to capture machine-account NetNTLM hashes, with compressed data ultimately routed to leak-site infrastructure.

What to do about it

For any organisation running PeopleSoft — and Campus Solutions shops in particular:

• Apply Oracle's June 2026 PeopleSoft security updates as an emergency item for affected PeopleTools versions, including the fixes and mitigations associated with CVE-2026-35273. Do not wait for a normal patch cycle, and ensure affected environments are on supported PeopleTools releases.
• Disable the Environment Management Hub service in multi-server configurations, or remove the PSEMHUB application entirely in single-server setups. Where neither is possible, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter. Mandiant notes these restrictions do not break normal PIA browser sessions.
• Hunt retrospectively for the IOCs: external POSTs to the PSEMHUB and Integration Gateway endpoints; unexpected .jsp files in WebLogic application directories; suspicious folders (logs, persistantstorage, scratchpad) under PSEMHUB paths; recently modified XML under envmetadata; the extortion marker file; outbound SMB from PeopleSoft hosts; and connections involving the published attacker IPs (the 142.11.200[.]186–190 range, 108.174.202[.]99, 176.120.22[.]24).
• Rotate credentials for the psoft, oracle and linuxadm accounts and anything stored in psappsrv.cfg, and enforce application-layer MFA and IP allowlisting for administrative access.
• Do not define exposure too narrowly as "public internet-facing only." PSEMHUB and Integration Gateway endpoints reachable through VPNs, partner networks, managed-service paths, or other trusted access routes should still be treated as in scope. In particular, hunt for SSRF-style requests that reference loopback addresses, localhost values, or internal IP ranges through /PSIGW/HttpListeningConnector.
• Treat this as a third-party risk question too. If a vendor or partner runs PeopleSoft, their unpatched instance is your supply-chain exposure — ask them directly for patch status and IOC review.

How we read this

Three things make this incident worth more than a line in a breach tracker, and they shape how we would advise anyone running exposed enterprise software to think about it.

The window between "disclosed" and "exploited" has effectively closed. CVE-2026-35273 was a zero-day for the entire two-week period it was being exploited. During the attack window there was no CVSS score to triage on, no KEV entry to escalate against, no patch to apply — those all arrived after the data was already on a leak site. Severity scoring and patch cadence remain necessary, but they are lagging indicators.

What distinguishes an organisation that weathers a campaign like this from one that becomes a case study is whether it was watching the right actor behaviour and exposure ahead of the CVE: ShinyHunters' platform-at-scale playbook and the reachability of the PSEMHUB endpoint were both observable before any advisory existed.

Read the layer, not just the label. The single most useful analytical move here is separating where the damage showed up (WebLogic) from the bug that caused it (PeopleTools / CVE-2026-35273). An organisation that took the public "WebLogic vulnerability" line at face value would have hunted and patched the wrong component. Incident notices are written for a general audience and a legal threshold; turning that into an accurate internal picture is an intelligence task, and it is worth doing deliberately rather than assuming the headline is the finding.

Sector and supply chain are part of the threat model now. ShinyHunters did not pick higher education by accident — universities concentrate exactly the kind of sensitive identity data (passport numbers, immigration status, disability records) that carries outsized regulatory and extortion leverage, often on shared platforms with similar configurations. And Nottingham's Campus Solutions instance was run by a third party. The exposure of a platform you depend on, operated by someone else, is your exposure. Any organisation reasoning about its risk from this campaign has to reason about its vendors' PeopleSoft estates too.

None of this requires a particular tool to act on. It requires treating threat intelligence as something you apply before the advisory lands — to the actors targeting your sector, the platforms you and your suppliers run, and the exposure that is reachable today. That is the posture this campaign rewards.

Key sources

• University of Nottingham — Cyber attack incident statement (12 June 2026)
• Google Cloud / Mandiant (GTIG) — ShinyHunters targets the education sector via Oracle PeopleSoft (UNC6240 attribution, IOCs, attack chain)
• Oracle — Security Alert Advisory, CVE-2026-35273 (out-of-band, 10 June 2026)
• Oracle — June 2026 Critical Security Patch Update (includes the CVE-2026-35273 fixes plus additional PeopleSoft patches)
• Rapid7 — active exploitation analysis and IOCs (notes CISA KEV addition, 12 June 2026)
• BleepingComputer — Oracle mitigates the PeopleSoft zero-day and Nottingham breach coverage
• The Register — ShinyHunters claims the campaign

This analysis reflects information available as of mid-June 2026 and uses estimative language where attribution or exploit-chain composition is assessed rather than confirmed.