The global enterprise resource planning (ERP) ecosystem has suffered another industrialized exploit campaign. Nissan Americas has officially confirmed a sweeping data breach affecting current and former employees across four countries. The incident stems directly from a sophisticated cyber-extortion campaign that weaponized a critical, unauthenticated Oracle PeopleSoft zero-day vulnerability to bypass corporate perimeter defenses.
Attributed to the financially motivated ShinyHunters extortion group (tracked by threat intelligence firms as UNC6240 or Bling Libra), the campaign bypassed traditional endpoint protection models. By target-scouting core business infrastructure before patches were available, the threat actors successfully gained unrestricted lateral entry into the financial and personnel frameworks of over 100 corporate organizations globally, with Nissan Americas singled out as a primary target.
Key Details
The incident hinges on CVE-2026-35273, an unauthenticated Server-Side Request Forgery (SSRF) flaw carrying a maximum CVSS severity score of 9.8. The vulnerability targets the PeopleSoft Environment Management Hub (PSEMHUB) component within Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. Because the exploit can be executed over plain HTTP with no prior authentication and zero user interaction, automated script arrays began hitting global targets long before an advisory was published.
According to breach notifications submitted to the California Attorney General’s Office, the active compromise window for Nissan spanned from May 27 to June 9, 2026. Oracle rushed to deploy an emergency out-of-band security patch on June 10, 2026, followed immediately by the Cybersecurity and Infrastructure Security Agency (CISA) adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog on June 12.
Automated Zero-Day Campaign Begins
May 27, 2026
ShinyHunters initiates mass scanning and exploit scripts, compromising over 300 vulnerable Oracle PeopleSoft instances across 100+ global organizations, including Nissan.
Nissan Contains Malicious Intrusion
June 9, 2026
Nissan Americas identifies anomalous server activity, initiates internal data containment protocols, and terminates unauthorized connections.
Emergency Out-of-Band Patch Released
June 10, 2026
Oracle bypasses its standard quarterly patching schedule to issue a critical out-of-band update to fix the PSEMHUB exploit vector.
CISA KEV Catalog Enforcement
June 12, 2026
CISA officially indexes CVE-2026-35273, legally requiring federal agencies and advising private enterprises to remediate the vulnerability.
Technical Analysis
A deep forensic evaluation conducted by Mandiant and Google’s Threat Intelligence Group (GTIG) revealed how ShinyHunters turned simple web access into persistent host takeover. Attackers initially targeted the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints to establish initial RCE.
Once inside, the actors dropped a customized variant of MeshCentral—an open-source remote management agent. To blind local security operations centers (SOC) and bypass endpoint detection and response (EDR) logic, the binary was explicitly compiled to masquerade as a legitimate Microsoft cloud service (meshagent64-azure-ops.exe).
[Unauthenticated Web Request]
│
▼ (Targeting /PSEMHUB/hub)
[SSRF-to-RCE Exploitation]
│
▼ (Executes Arbitrary Payload)
[MeshCentral Deployment (Spoofed)]
└── Named: meshagent64-azure-ops.exe
│
▼ (Internal Triage & Compression)
[Data Staging via Zstd] ──► Exfiltration to azurenetfiles[.]net
Threat actors executed local Python and PowerShell scripts to scrape configurations, traverse active subnets, and locate corporate directory databases. Staged exfiltration directories were bundled using high-velocity zstd compression and routed to the group’s malicious command domain. Compromised nodes were then defaced with an explicit text-based extortion note: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Key Indicators of Compromise (IOCs)
| Type | Indicator | Description |
| IP Range | 142.11.200[.]186–190 | Active adversary infrastructure utilized for staging and C2 loops |
| Domain | azurenetfiles[.]net | Malicious external endpoint spoofing Azure storage infrastructure |
| URL Path | /PSEMHUB/hub | Target web path utilized to inject the initial unauthenticated SSRF |
| File Name | meshagent64-azure-ops.exe | Persistent malicious remote management executable |
Impact and Risks
The business and personal exposure driven by the Nissan Americas data breach is exceptionally severe, tracking across current and former personnel in the United States, Canada, Mexico, and Brazil.
Data sets verified as stolen or heavily exposed include:
- Full names, corporate emails, and home contact details.
- Highly sensitive financial registries, tax data, and banking routing profiles.
- Social Security Numbers (SSN), Social Insurance Numbers (SIN), and national tax identification IDs.
- Dependent records, medical identifiers, and beneficiary allocations.
To limit systemic exposure, Nissan immediately cut off unauthorized access to its active payroll workflows. The company restricted sensitive actions—such as direct deposit amendments and pay slip access—exclusively to assets operating natively on the physical corporate network or via heavily guarded, multi-factor authenticated enterprise VPN systems.
Expert Recommendations
The exploitation of critical core platform engines indicates that traditional edge security boundaries are insufficient. Security operations teams must prioritize immediate system-wide mitigations:
1.Enforce Perimeter URI Blocks:Immediate Protection.
Configure your corporate Web Application Firewall (WAF) or ingress proxy layers to drop any external, public internet requests routed directly to /PSEMHUB/* and /PSIGW/*.
2.Execute Oracle Out-of-Band Updates:Core Patching.
Deploy the emergency Oracle PeopleTools patch for versions 8.61 and 8.62 immediately. Treat this workflow as a critical production emergency.
3.Audit Outbound SMB Channels:Threat Hunting.
Analyze network logs for anomalous outbound Server Message Block (SMB) traffic traversing TCP Port 445 coming from application databases. Attackers utilize this channel to harvest corporate NetNTLM hashes.
4.Execute Universal Key Rotation:Credential Flush.
Revoke and systematically regenerate all certificates, service account tokens, and administrative database passwords managed by or connected to the PeopleSoft database layer.
Industry Context
The targeting of Nissan Americas represents an ongoing, industrialized focus on enterprise resource planning architectures. This event marks the second CVSS 9.8 Oracle ERP software catastrophe within the last eight months, following closely on the heels of the Cl0p ransomware syndicate exploiting CVE-2025-61882 inside Oracle E-Business Suite.
Extortion rings have recognized that targeting internal software engines allows them to bypass the arduous process of breaking through multiple network segments. Compromising a single central ERP node provides instantaneous, automated access to the organization’s entire identity, supply chain, and financial operations.
Conclusion
The automated exploitation of the Oracle PeopleSoft platform confirms that modern threat actors can weaponize architectural flaws long before patches can be developed. As industrialized groups like ShinyHunters target the core financial software engines running global corporations, patching latency can spell operational disaster. Organizations must transition toward zero-trust architectures that isolate sensitive internal databases from the public web, ensuring that even a critical zero-day cannot instantly become a gateway to total corporate exposure.
FAQ SECTION
1. What caused the Nissan Americas data breach?
The breach occurred because members of the ShinyHunters extortion group exploited a critical, unauthenticated zero-day flaw (CVE-2026-35273) residing inside the PSEMHUB component of Oracle PeopleSoft PeopleTools software.
2. What exactly is a Server-Side Request Forgery (SSRF) to Remote Code Execution (RCE) flaw?
An SSRF-to-RCE vulnerability allows an unauthenticated attacker on the internet to trick an internal server into executing unexpected commands. This allows the threat actor to gain full administrative control over the machine without needing passwords or user interaction.
3. What kind of employee data was stolen from Nissan?
The compromised databases contained names, banking routing instructions, tax profiles, beneficiary documentation, and national identification records like Social Security Numbers (SSN) and Social Insurance Numbers (SIN).
4. Who are the threat actors behind this campaign?
The mass exploitation campaign was executed by UNC6240, popularly known as the ShinyHunters extortion group (or Bling Libra), an advanced cybercrime collective focused on corporate data theft and financial extortion.
5. How should organizations secure their PeopleSoft servers right now?
Beyond applying the emergency out-of-band security patch from Oracle, organizations should block external perimeter access to /PSEMHUB/* and monitor their networks for any outbound SMB traffic on TCP port 445.
