Executive Summary
On June 25, 2026, Nissan Americas disclosed a data breach affecting current and former employees, linked to exploitation of a zero-day vulnerability in Oracle PeopleSoft software. The breach, which occurred between May 27 and June 9, 2026, was facilitated by attackers exploiting CVE-2026-35273, a critical Server-Side Request Forgery (SSRF) vulnerability in Oracle PeopleSoft PeopleTools. The incident resulted in unauthorized access to sensitive employee data, including contact information, banking details, Social Security numbers, and tax records. The ShinyHunters extortion group claimed responsibility, and technical analysis by Mandiant confirmed the use of the zero-day vulnerability. Nissan has engaged external cybersecurity experts, secured affected systems, and is working with Oracle to investigate and remediate the breach. The company is offering credit and dark web monitoring to affected individuals and has notified regulatory authorities as required. The breach underscores the risks associated with third-party enterprise software and has sector-wide implications for supply chain security and regulatory compliance.
Technical Information
The breach at Nissan Americas was enabled by exploitation of CVE-2026-35273, a critical SSRF vulnerability in Oracle PeopleSoft PeopleTools. This vulnerability allows unauthenticated remote code execution (RCE) via the Updates Environment Management component, specifically targeting exposed /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints. Attackers conducted automated scanning to identify vulnerable endpoints and exploited them to gain initial access.
Once inside, the attackers deployed MeshCentral, a legitimate open-source remote management tool, to maintain persistent access. The MeshCentral agents were disguised as Microsoft Azure services to evade detection. No custom malware was identified in public reporting; persistence was achieved primarily through MeshCentral.
The attack chain mapped to the MITRE ATT&CK framework includes T1210 (Exploit Public-Facing Application), T1212 (SMB/Windows Admin Shares for credential access), T1219 (Remote Access Software), T1651 (Masquerading), T1078 (Valid Accounts), T1213.006 (Data from Information Repositories: Databases), and T1560.003 (Data Staged: Compress Files).
The ShinyHunters extortion group claimed responsibility for the campaign, stating that over 300 PeopleSoft instances across 100 organizations were breached. Data stolen in these attacks has begun to appear on the group’s data leak site. The campaign was opportunistic, targeting any organization with exposed vulnerable endpoints, with a particular focus on sectors such as automotive, education, and insurance.
Technical analysis by Mandiant and confirmation from Oracle established that the exploitation window was between May 27 and June 9, 2026. Oracle released emergency mitigations on June 10, 2026, and later confirmed the vulnerability’s exploitation. The breach demonstrates the risk posed by third-party SaaS and HR platforms, especially in sectors with complex supply chains and regulatory requirements.
Affected Versions & Timeline
The affected product is Oracle PeopleSoft PeopleTools, specifically instances vulnerable to CVE-2026-35273. The exploitation window was from May 27 to June 9, 2026, as confirmed by technical analysis and vendor advisories. Nissan’s breach notification was filed on June 25, 2026, and public reporting confirmed the incident on June 29, 2026. Oracle released emergency mitigations on June 10, 2026.
Threat Activity
The threat activity was characterized by exploitation of a zero-day SSRF vulnerability in Oracle PeopleSoft PeopleTools. Attackers scanned for and exploited exposed endpoints to achieve RCE, then deployed MeshCentral agents for persistence. The ShinyHunters group claimed responsibility, and data exfiltration was confirmed by the appearance of stolen information on their leak site. The campaign targeted organizations across multiple sectors, with a focus on those using Oracle PeopleSoft for HR and payroll functions. The attackers used legitimate remote management tools, masquerading as trusted services, and staged data for exfiltration using compression utilities.
Mitigation & Workarounds
The following mitigation steps are recommended, prioritized by severity:
Critical: Immediately apply all security updates and emergency mitigations released by Oracle for CVE-2026-35273. Restrict access to PeopleSoft endpoints, especially /PSEMHUB/* and /PSIGW/HttpListeningConnector, to trusted networks only.
High: Monitor for unauthorized deployment of remote management tools such as MeshCentral, especially agents masquerading as Microsoft Azure services. Implement network segmentation to limit lateral movement from compromised endpoints.
Medium: Review and enhance identity verification procedures for payroll and HR functions. Monitor for unusual outbound SMB connections and unexpected .jsp files or directories in PeopleSoft paths.
Low: Provide security awareness training to employees regarding phishing and social engineering risks associated with data breaches. Offer credit and dark web monitoring services to affected individuals.
Indicators of Compromise
The following caveat applies: Indicators of compromise (IOCs) are point-in-time and should be validated in your environment before enforcement. As of the time of writing, no public indicators of compromise (such as IP addresses, domains, or file hashes) were available in the referenced sources.
References
Official breach notification (June 25, 2026): https://oag.ca.gov/system/files/June%2025%202026%20Employee%20Communication%20Cybersecurity%20Incident%20%28English%29%20%28REG%29.pdf
BleepingComputer (June 29, 2026): https://www.bleepingcomputer.com/news/security/nissan-discloses-employee-data-breach-linked-to-oracle-zero-day-attacks/
The Register (June 29, 2026): https://www.theregister.com/security/2026/06/29/nissan-says-oracle-peoplesoft-break-in-may-have-spilled-payroll-records-ssns/5263534
Oracle Security Alert (CVE-2026-35273): https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
SOC Prime (June 15, 2026): https://socprime.com/active-threats/cve-2026-35273-oracle-peoplesoft-zero-day-exploited-in-the-wild/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and software providers. Our platform enables continuous monitoring of supply chain exposures, supports rapid incident response, and assists in regulatory compliance efforts. For questions regarding this incident or to discuss how our capabilities can support your risk management program, please contact us at info@rescana.com.
