Nissan Americas has officially confirmed a data breach affecting current and former employees across four countries after threat actors exploited a critical zero-day vulnerability in Oracle PeopleSoft software, a campaign attributed to the ShinyHunters extortion group.
The attack stems from CVE-2026-35273, a CVSS 9.8-rated unauthenticated Server-Side Request Forgery (SSRF)-to-Remote Code Execution (RCE) vulnerability residing in the Updates Environment Management (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62.
The flaw requires no authentication, no user interaction, and is exploitable over plain HTTP, meaning any attacker with network reach to a vulnerable instance could achieve full remote code execution. Oracle issued an emergency out-of-band security patch on June 10, 2026, and the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog just two days later.
Mandiant and Google’s Threat Intelligence Group (GTIG) attribute the campaign to UNC6240 (ShinyHunters), a financially motivated cybercrime collective also tracked as Bling Libra.
Exploitation was observed as early as May 27, 2026, more than two weeks before Oracle’s advisory, with the group compromising over 300 PeopleSoft instances across 100+ organizations worldwide using automated attack scripts.
Nissan Confirms Data Breach
According to breach notifications filed with the California Attorney General’s Office, Nissan Americas confirmed it was specifically singled out within the broader campaign. The breach window spans May 27 to June 9, 2026, and potentially exposed sensitive employee data including:
- Contact and banking information
- Social Security Numbers (SSN), Social Insurance Numbers (SIN), and National Identification Numbers
- Financial and tax data
- Dependent and beneficiary information
The incident is believed to impact current and former Nissan employees in the United States, Canada, Mexico, and Brazil.
Nissan activated its incident response protocols immediately upon notification, engaging external cybersecurity specialists and cooperating with law enforcement authorities.
As a containment measure, the company restricted payroll system access, including pay slip viewing and direct deposit changes, to corporate network computers or secure VPN connections, with additional identity authentication layers implemented before processing payroll requests. Nissan is also arranging free credit and dark web monitoring services for affected individuals where available.
Mandiant’s analysis reveals that ShinyHunters deployed MeshCentral remote management agents on compromised hosts, disguising them as legitimate Microsoft Azure services (e.g., meshagent64-azure-ops.exe) with C2 communications routed to wss://azurenetfiles[.]net:443/agent.ashx.
Post-exploitation activity included internal PeopleSoft configuration reconnaissance, lateral movement scripting, and data exfiltration using zstd compression. Compromised servers were marked with a ransom note file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Key Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| IP | 142.11.200[.]186–190 | Staging/C2 infrastructure |
| Domain | azurenetfiles[.]net | C2 masquerading as Azure |
| SHA-256 | f02a924c9ff92a8780ce812511341182... | meshagent64-azure-ops.exe |
| URL Path | /PSEMHUB/hub | Exploitation endpoint |
| URL Path | /PSIGW/HttpListeningConnector | SSRF exploitation endpoint |
| File | README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Extortion marker |
Mitigations
Organizations running PeopleTools 8.61 or 8.62 should treat patching as an emergency priority. Beyond patching, Rapid7 and Mandiant recommend:
- Disable or restrict the PSEMHUB service and block external access to
/PSEMHUB/*and/PSIGW/HttpListeningConnectorat the network perimeter - Monitor outbound SMB traffic (TCP/445) from PeopleSoft servers for external NetNTLM hash capture attempts
- Hunt for compromise indicators even post-patching, given exploitation activity predates Oracle’s advisory by two weeks
- Rotate all credentials accessible from potentially compromised PeopleSoft instances
This marks the second CVSS 9.8 Oracle ERP zero-day exploited in under eight months, following Cl0p’s abuse of CVE-2025-61882 in Oracle E-Business Suite beginning in August 2025 — a pattern that signals ERP platforms have become primary industrialized targets for organized extortion operations.
