DEV Community: Etairos.ai

ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach 100+ Universities

Etairos.ai — Fri, 12 Jun 2026 01:01:07 +0000

TL;DR

what: ShinyHunters exploited CVE-2026-35273, an unauthenticated remote code execution zero-day in Oracle PeopleSoft PeopleTools 8.61 and 8.62, between May 27 and June 9, 2026.
impact: Over 100 organizations breached—68% universities—with at least 455,000 email addresses and sensitive student data including passport numbers and disability details leaked from confirmed victims like the University of Nottingham.
fix: Apply Oracle's PeopleTools patch once available via My Oracle Support; immediately disable PSEMHUB service or block external access to /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints.
who: Any organization running Oracle PeopleSoft PeopleTools 8.61, 8.62, or earlier unsupported versions with Environment Management Hub accessible over HTTP—especially universities and enterprises with public-facing ERP systems.

The ShinyHunters extortion crew exploited an unauthenticated remote code execution zero-day in Oracle PeopleSoft to breach more than 100 organizations between May 27 and June 9, 2026. Oracle did not publish its advisory until June 10, leaving every victim exposed during the entire two-week attack window. Google's Mandiant attributes the campaign to UNC6240 and confirms universities bore the brunt: 68 percent of notified organizations were in higher education, most of them in the United States.

The Vulnerability: CVE-2026-35273

CVE-2026-35273 is a 9.8-severity flaw in PeopleSoft Enterprise PeopleTools that requires no authentication, no user interaction, and only network access over HTTP. The vulnerability sits in the Updates Environment Management component—the code behind the Environment Management Hub (PSEMHUB). Oracle lists PeopleTools 8.61 and 8.62 as affected and warns that earlier, unsupported versions are likely vulnerable as well.

If your PeopleSoft Environment Management Hub is reachable from the internet, you have exposure. Mandiant CTO Charles Carmakal confirmed active exploitation in the wild. Oracle credited researchers from TrendAI Zero Day Initiative and TrendAI Research for the discovery but has not publicly acknowledged whether it observed exploitation before patching.

⚠️ Immediate Action Required — Oracle advises disabling the Environment Management Hub service on multi-server deployments or removing the PSEMHUB application entirely on single-server setups. If neither is feasible, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter. WAF body-inspection rules alone are insufficient—restrict the endpoints at the network layer.

Operational Security Failure Exposed the Attack Infrastructure

The campaign came to light because the attackers left their staging servers exposed. Security researcher @nahamike01 flagged open directories on five sequential IP addresses running Python's SimpleHTTP server on port 8888. Mandiant triaged the servers and found a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script named [victim]_fanout.sh.

The MeshCentral agents called home to a command-and-control server at azurenetfiles.net, a domain designed to resemble Azure NetApp Files. The lateral-movement script spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file—README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT—into PeopleSoft directories. The bash history shows stolen data compressed with zstd and an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.

Confirmed Victim: University of Nottingham

The University of Nottingham is one of the first publicly confirmed victims. Have I Been Pwned has counted approximately 455,000 unique email addresses in the leaked dataset, covering current students and alumni. The exposed data includes names, addresses, phone numbers, passport numbers, and sensitive details on ethnicity and disabilities. The university has confirmed the breach.

ShinyHunters has stated that victim outreach has only just started and that it has not yet posted most of the organizations it claims to have compromised. More names are likely coming.

Hunt for Indicators of Compromise

Mandiant recommends immediate threat hunting for signs of exploitation, even if you have already applied mitigations. The following indicators suggest an existing compromise:

WebLogic access logs showing external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector
Unexpected .jsp files under the PSEMHUB.war web application directory
Odd folders named logs, persistantstorage, or scratchpad under PSEMHUB paths
Recently modified .xml files under the web doc root's envmetadata/data/environment directory, which can be abused for XMLDecoder persistence that executes on the next server restart
Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, which the exploit chain may use to capture machine-account NetNTLM hashes

Patch Status Unclear — Oracle's advisory points to a patch availability document behind a support login, and whether a full fix is broadly available remains unclear. The operational guidance centers on mitigation rather than patching. Apply Oracle's update for your PeopleTools version as soon as you confirm it is available in My Oracle Support.

ShinyHunters Levels Up

This campaign represents a tactical shift for ShinyHunters. The group has historically leaned on vishing, stolen tokens, and weak access controls to steal data from SaaS and education platforms—from Salesforce customers to Canvas LMS deployments. A server-side zero-day in on-premises ERP software is a significant step up, aimed at the same data-rich targets but exploiting infrastructure that enterprises typically consider more secure than cloud SaaS.

The open question is whether CVE-2026-35273 was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation as a core capability. Either way, the campaign demonstrates that extortion crews are expanding their toolkit beyond credential stuffing and social engineering. Universities and enterprises running legacy on-premises ERP systems should treat this as a wake-up call: attackers are now investing in zero-day research targeting the software that houses your most sensitive data.

Recommendations

Disable the Environment Management Hub service or remove PSEMHUB application if operationally feasible
Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter—network-layer restrictions, not just WAF rules
Hunt for the IOCs listed above in WebLogic logs, file system, and network traffic
Apply Oracle's PeopleTools patch for CVE-2026-35273 as soon as it is confirmed available in My Oracle Support
Review all internet-facing PeopleSoft endpoints and restrict access to only trusted networks where possible
Monitor for outbound connections to azurenetfiles.net and any unusual SSH or SMB traffic from ERP hosts

Originally published on RedEye Threat Intelligence.

OpenClaw AI Agent Exploited Through Hidden Contact Prompts and Social Engineering

Etairos.ai — Thu, 11 Jun 2026 23:15:44 +0000

TL;DR

what: Researchers demonstrated OpenClaw AI agent executes hidden commands in contacts/vCards and leaks credentials through believable phishing emails without user interaction.
impact: Agents with memory enabled can be compromised by widely-shared contacts; agents forward AWS keys, database credentials, and customer data to external addresses from single emails.
fix: Update to OpenClaw 2026.4.23 for prompt-injection fix; implement strict agent permissions, sandbox environments, and require human confirmation for credential/data operations.
who: Organizations running self-hosted OpenClaw agents with access to messaging platforms, credential stores, file systems, and sensitive business data.

OpenClaw, the popular self-hosted AI agent platform, is vulnerable to two distinct attack vectors that turn its autonomous capabilities against organizations. Imperva Security demonstrated prompt injection through seemingly innocuous shared contacts, while Varonis Threat Labs showed that plain-English phishing emails bypass the agent's built-in verification rules. Both attacks exploit the same fundamental weakness: OpenClaw trusts incoming data and has broad access to sensitive systems.

Contact Names as Attack Vectors

Imperva researcher Yohann Sillam discovered that OpenClaw serializes message objects—shared contacts, vCards, and location pins—directly into LLM prompts without marking them as untrusted input. When the agent processes a shared contact, it flattens the data into a simple format: . Because angle brackets are legal characters in contact names, an attacker can inject additional instructions that the model interprets as legitimate commands.

The attack surface is invisible to victims. WhatsApp truncates contact names in the UI, hiding the malicious payload from both the person sharing the contact and the recipient. The same technique works through vCard full-name fields and location pin labels. In tests against Google Gemini 3.1 Pro, Imperva's hidden instructions successfully commanded the agent to download and execute scripts from researcher-controlled servers.

⚠️ Memory Amplifies Risk — OpenClaw enables memory by default, meaning a single poisoned contact shared across a team or organization can compromise every agent that processes it. Without sandboxing, the injected command persists and executes whenever the agent recalls the associated conversation.

The vulnerability exists because OpenClaw handles web-scraped content differently than messaging data. Content fetched from the internet gets wrapped in an untrusted-content boundary marker; message objects do not. This inconsistency creates a bypass: attacks embedded in images typically fail because models have been trained on those examples, but the message-object route remains undertrained and effective.

OpenClaw shipped a fix in version 2026.4.23 that moves contact names, vCard fields, and location labels into a separate untrusted-metadata channel outside the main prompt. Imperva noted the same flattening pattern exists in other personal AI assistants, indicating the problem extends beyond one platform.

Social Engineering Beats Technical Controls

Varonis Threat Labs approached OpenClaw from a different angle. The team built a test agent named Pinchy, connected it to Gmail, populated the inbox with synthetic business emails and mock secrets, then ran four phishing scenarios against Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4. The agent operated under a strict profile explicitly configured to verify sender identity before taking sensitive actions.

Both exfiltration tests succeeded. In the first scenario, an email impersonating a team lead named Dan requested staging credentials during a fabricated production incident. The message came from an external Gmail address. Pinchy located the credentials and forwarded mock AWS IAM access keys, database connection strings, and SSH credentials in plaintext to the attacker-controlled address. The second test used a routine request for a weekly customer export, framed as needed for a quarterly business review. The agent sent a synthetic dataset containing 247 enterprise customer records, including contact details and contract values.

Technical vs. Social Threats — The same agent successfully detected and blocked technical threats. It identified a gift-card phishing site and withheld credentials. On a malicious OAuth consent screen disguised as a timesheet app, it inspected the redirect target, flagged it as suspicious, and stopped. Urgency and routine social pretexts bypassed judgment that technical anomalies did not.

Varonis distinguishes this from classic prompt injection. They call it agent phishing: a believable request through a normal channel that succeeds because the agent prioritizes helpfulness over verification. The strict sender-verification rule existed in the agent's configuration. Urgency overrode it in the first test; the routine nature of the request beat it in the second. OpenAI Codex GPT-5.4 showed more caution than Gemini 3.1 Pro about sending data to external sites without confirmation, but both models fell for the social engineering.

The Lethal Trifecta

Varonis maps both attack classes to what security researcher Simon Willison calls the lethal trifecta: an agent with the ability to read private data, ingest untrusted input, and send information outbound. OpenClaw ships with all three capabilities enabled. It has file-system access, shell execution rights, and integrations with more than twenty messaging platforms including Slack, Discord, Microsoft Teams, WhatsApp, and Matrix.

The trust boundary problem is not limited to prompts. A separate analysis from InfoSec Write-ups converted OpenClaw's past security advisories into static-analysis rules, then applied them to the platform's channel extensions. The scan identified five additional vulnerabilities across Slack, Discord, Matrix, Zalo, and Microsoft Teams integrations. All five shared the same root cause: startup code resolved channel allowlists by mutable display name rather than stable user ID. An attacker who changed their display name to match an authorized user could bypass the allowlist and issue commands to the agent. OpenClaw has patched these flaws.

Mitigation and Operational Reality

The prompt-injection vector has a patch. Organizations running OpenClaw must update to version 2026.4.23 or later. The social-engineering vector does not have a code fix because it exploits the agent's design, not a bug. Varonis recommends limiting agent permissions through capability restrictions:

Require human confirmation before any operation that accesses credentials, reads sensitive files, or sends data outside the organization.
Restrict agent access to credential stores, SSH keys, and API tokens. Use read-only access where possible.
Sandbox agent execution environments to contain code-execution attacks and limit lateral movement.
Implement sender validation at the infrastructure level—verify domain and email authentication before messages reach the agent.
Disable or constrain memory features for agents with access to high-value data, reducing the persistence window for injected instructions.

OpenClaw's appeal is its autonomy and breadth of access. Organizations deploy it precisely because it can act independently across messaging platforms, file systems, and external APIs. The security challenge is that those same capabilities make it an attractive target. The agent cannot distinguish between a legitimate urgent request from a colleague and a well-crafted impersonation. Models improve at detecting malformed URLs and obviously fake login pages, but struggle with context-appropriate social requests that a human would question.

OpenClaw has faced a steady stream of prompt-injection and data-exfiltration warnings since launching late last year. The Dutch data protection authority has raised concerns about the platform's default permissions and data-handling practices. Both Imperva and Varonis note that the underlying architectural issues—trusting inbound data, granting broad access, lacking robust sender verification—are common across the emerging AI agent category, not unique to one product.

Risk Calculus

For security and IT teams evaluating or operating OpenClaw deployments, the threat model is clear. A poisoned contact shared in a company-wide channel can compromise every agent instance that processes it if memory is enabled. A single convincing email can exfiltrate credentials or customer data even when verification rules are configured. The attack surface is not a bug to be patched away; it is the product's design. The value proposition—an agent that autonomously handles tasks across platforms—creates the exposure.

Organizations must decide whether the productivity gains justify the risk, and if they proceed, implement defense in depth: patching to 2026.4.23 immediately, sandboxing agent execution, requiring human approval for sensitive operations, and monitoring outbound data flows for anomalies. The research from Imperva and Varonis demonstrates that AI agents are not merely productivity tools; they are privileged identities with access that adversaries will target, using both technical exploits and social engineering that the models are not yet equipped to resist.

Originally published on RedEye Threat Intelligence.