Attack Overview and Vulnerability Details
Nissan Americas has confirmed a data breach that exposed sensitive information of current and former employees across four countries. The breach resulted from a targeted exploitation of CVE-2026-35273, a critical zero-day vulnerability in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. This flaw, rated CVSS 9.8, is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability that leads to remote code execution. It requires no authentication or user interaction and can be exploited over plain HTTP, allowing attackers with network access to vulnerable instances to gain full control.
Oracle released an emergency out-of-band security patch on June 10, 2026, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog two days later. However, exploitation began as early as May 27, 2026, over two weeks before the advisory. The campaign has been attributed to the ShinyHunters extortion group, tracked as UNC6240 or Bling Libra, which compromised more than 300 PeopleSoft instances across over 100 organizations worldwide.
Impact on Nissan and Response Measures
According to breach notifications filed with the California Attorney General’s Office, the breach window for Nissan spans May 27 to June 9, 2026. Exposed data includes contact and banking information, Social Security Numbers, Social Insurance Numbers, National Identification Numbers, financial and tax data, and dependent and beneficiary information. Employees in the United States, Canada, Mexico, and Brazil are potentially affected.
Nissan activated its incident response protocols immediately, engaging external cybersecurity specialists and law enforcement. As containment measures, the company restricted payroll system access to corporate network computers or secure VPN connections, added extra identity authentication layers for payroll requests, and is arranging free credit and dark web monitoring services for affected individuals where available.
Mitigation and Broader Implications
Organizations running PeopleTools 8.61 or 8.62 should treat patching as an emergency priority. Beyond patching, security recommendations include disabling or restricting the PSEMHUB service, blocking external access to specific URL endpoints at the network perimeter, monitoring outbound SMB traffic from PeopleSoft servers, hunting for compromise indicators even after patching, and rotating all credentials accessible from potentially compromised instances. Mandiant’s analysis shows attackers deployed MeshCentral remote management agents disguised as legitimate Microsoft Azure services, with command-and-control communications routed through a domain masquerading as Azure infrastructure.
This incident marks the second CVSS 9.8 Oracle ERP zero-day exploited in under eight months, following the Cl0p group’s abuse of CVE-2025-61882 in Oracle E-Business Suite starting in August 2025. This pattern indicates that ERP platforms have become primary targets for organized extortion operations.
Source: Cyber Security News
