Nissan Americas confirmed a data breach affecting employees across four countries after the ShinyHunters extortion group exploited a critical Oracle PeopleSoft zero day vulnerability tracked as CVE 2026 35273.
Imagine a car manufacturer that spent decades building trust around safety crash tests and reliable engineering suddenly finding its own employee payroll system sitting wide open to a financially motivated hacking crew.
That exact nightmare just became reality for Nissan Americas after a single unauthenticated flaw in business software most employees never even hear about gave attackers a direct path straight into Social Security numbers banking details and tax records belonging to current and former staff across four countries.
Nissan Data Breach Oracle PeopleSoft Technical Explanation
The root cause traces back to a vulnerability tracked as CVE 2026 35273 carrying a near maximum CVSS score of 9.8. This flaw lives inside the Updates Environment Management component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 and combines server side request forgery with remote code execution capability in a single chain.
What makes this particular flaw so dangerous comes down to three brutal facts working together at once. No authentication is required to trigger it. No user interaction is needed at any stage. And the entire exploit runs over plain HTTP meaning any attacker with basic network reach to a vulnerable instance can achieve full remote code execution without ever needing stolen credentials first.
Oracle pushed out an emergency out of band patch on June 10 2026 once the severity became clear and CISA added the flaw to its Known Exploited Vulnerabilities catalog only two days later. That speed of response sounds reassuring until you look at the actual exploitation timeline. Mandiant and Google Threat Intelligence Group traced active exploitation back to May 27 2026 which sits more than two weeks before Oracle ever issued a public advisory.
The threat group behind this campaign known as UNC6240 and more widely recognized under the name ShinyHunters used automated attack scripts to compromise over 300 separate PeopleSoft instances spread across more than 100 organizations worldwide during that quiet two week window before defenders even knew a problem existed.
Nissan Americas confirmed through official breach notifications filed with the California Attorney General Office that it sat directly inside this broader campaign rather than getting caught as collateral damage. The confirmed breach window spans May 27 through June 9 2026 which lines up almost exactly with the pre disclosure exploitation period researchers identified.
Data potentially exposed during that window includes contact and banking information Social Security Numbers Social Insurance Numbers and National Identification Numbers financial and tax records and dependent and beneficiary information tied to current and former employees across the United States Canada Mexico and Brazil.
Mandiant analysis of the intrusion reveals a level of operational sophistication well beyond a smash and grab data theft. ShinyHunters deployed MeshCentral remote management agents on compromised hosts while disguising the malicious executable as a legitimate Microsoft Azure service component named meshagent64 azure ops exe. Command and control communications routed through a domain built specifically to mimic Azure infrastructure naming conventions which made the malicious traffic blend convincingly into normal enterprise cloud activity for anyone doing a quick surface level review of network logs.
Post exploitation activity followed a deliberate methodical pattern rather than rushed opportunistic theft. Attackers performed internal PeopleSoft configuration reconnaissance before running lateral movement scripts designed to expand access across connected systems.
Data exfiltration relied on zstd compression to shrink stolen records before transfer which speeds up exfiltration while reducing the chance of triggering bandwidth based anomaly alerts. Compromised servers carried a calling card file named README IF YOU SEE THIS YOUVE BEEN HACKED dot TXT which fits the group known extortion playbook of leaving unmistakable proof behind once they finish their work inside a target environment.
ShinyHunters Indicators Of Compromise And Mitigation Steps
Security teams hunting for signs of this specific campaign should watch closely for staging and command infrastructure tied to the IP range 142.11.200.186 through 190 alongside the masquerading domain azurenetfiles dot net. The malicious MeshCentral payload carries a specific SHA-256 hash beginning with f02a924c9ff92a8780ce812511341182 and file defenders should flag immediately if discovered anywhere inside their environment.
Network monitoring should specifically target two exploitation endpoints used throughout this campaign including the PSEMHUB hub path and the PSIGW HttpListeningConnector path which together formed the actual SSRF to RCE exploitation chain attackers relied on across every confirmed victim.
Organizations still running PeopleTools 8.61 or 8.62 anywhere in their environment need to treat patching as an absolute emergency priority rather than a routine maintenance task scheduled for next quarter. Rapid7 and Mandiant both recommend disabling or strictly restricting the PSEMHUB service entirely and blocking external access to both vulnerable endpoint paths at the network perimeter as an immediate stopgap wherever patching cannot happen instantly.
Security teams should also monitor outbound SMB traffic on port 445 originating from PeopleSoft servers specifically watching for external NetNTLM hash capture attempts since this technique frequently appears alongside SSRF exploitation chains targeting enterprise resource planning platforms.
Given that confirmed exploitation activity predates Oracle official advisory by a full two weeks every organization running affected PeopleSoft versions should actively hunt for compromise indicators even after applying the patch rather than assuming patching alone resolves any prior unauthorized access. Rotating every credential accessible from potentially compromised PeopleSoft instances represents a non negotiable step since stolen service account or administrative credentials often provide attackers a quieter persistent foothold long after the original vulnerability gets closed.
For Nissan specifically the company activated incident response protocols immediately upon notification bringing in external cybersecurity specialists while cooperating with law enforcement throughout the investigation.
As a direct containment measure payroll system access including pay slip viewing and direct deposit changes now requires connection through corporate network computers or secure VPN sessions paired with additional identity authentication layers before any payroll request gets processed. The company is also arranging free credit monitoring and dark web monitoring services for affected individuals wherever those protections remain available based on regional regulations.
This Nissan breach marks the second time in under eight months that a CVSS 9.8 rated zero day targeting major Oracle enterprise resource planning software has fueled a large scale extortion campaign. The earlier incident involved the Cl0p group abusing CVE-2025-61882 inside Oracle E-Business Suite starting back in August 2025. That repeated pattern signals something far bigger than a single unlucky vulnerability disclosure.
Enterprise resource planning platforms have become industrialized primary targets for organized extortion groups precisely because these systems sit at the center of payroll human resources and financial operations across thousands of large organizations simultaneously, making a single zero day inside one widely deployed platform capable of generating victims by the hundreds within just a few weeks of quiet undetected exploitation.
Every organization running Oracle PeopleSoft Oracle E-Business Suite or similar enterprise resource planning infrastructure should treat this Nissan incident as confirmation that patch timelines alone no longer provide adequate protection against financially motivated groups now operating with automated exploitation scripts capable of compromising hundreds of targets before any vendor advisory even goes public.
