Nissan Data Breach: Oracle PeopleSoft Zero-Day Exposes Employee Data

Nissan confirmed a data breach after an Oracle PeopleSoft zero-day exposed employee financial and ID data across the Americas. Here is how it unfolded.

Stop Zero-Day Access Before It Becomes Impact
  • July 1, 2026

Nissan has confirmed a data breach that exposed sensitive employee information across the Americas. The attack exploited a zero-day flaw in Oracle’s PeopleSoft software, which Nissan uses for payroll and HR. Moreover, this incident marks yet another chapter in the automaker’s troubled security record. Employees in four countries now face the fallout, while the full scale remains unknown.

A Zero-Day That Needed No Password

The vulnerability CVE-2026-35273 that has been used by the attackers has been rated critical with CVSS 9.8 score. This vulnerability is located in the update management subsystem of the Oracle PeopleSoft software. The important thing about this bug is that it did not require any authentication or user input and worked via unencrypted HTTP connections.

The first patch to deal with this problem was issued by the company on June 10, 2026. Unfortunately, the exploitation of the flaw began on May 27, which gave the attackers some advantage.

What the Attackers Walked Away With

Nissan Americas relies on PeopleSoft to run payroll, tax records, and personnel files. As a result, the exposed data reads like an identity thief’s wish list:

  • Social Security and national ID numbers
  • Banking and direct-deposit details
  • Tax and financial records
  • Contact information
  • Dependent and beneficiary data

The breach touched current and former employees across the United States, Canada, Mexico, and Brazil. Notably, Nissan has not yet said how many people were affected. Instead, the company admitted it remains in the early stages of its investigation.

CVE-2026-35273 – Nissan Oracle PeopleSoft Zero-Day Data Breach
CVE-2026-35273 · ORACLE PEOPLESOFT
Oracle PeopleSoft
Zero-Day Data Breach
Nissan confirmed a major data breach exposing employee data across the Americas. The attack exploited a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft payroll and HR systems, impacting employees in four countries.
9.8
CRITICAL
CVSS 3.0 BASE SCORE
CRITICAL IMPACT
A Zero-Day That Needed No Password
CVE-2026-35273: Rated critical with a CVSS 9.8 score.
Location: Update management subsystem in Oracle PeopleSoft.
Zero-Auth: Worked via unencrypted HTTP with no login or user input needed.
What the Attackers Walked Away With
Scope: Current & former staff in US, Canada, Mexico, and Brazil.
Exposed Data: Social Security/IDs, banking details, taxes, contact info, beneficiary data.
Scale: Exact numbers unknown; investigation is in early stages.
Digital Fingerprints Left Behind
Malware: Azure-mimicking tools (e.g. meshagent64-azure-ops.exe).
C2 Domain: Phishing site azurenetfiles[.]net.
IP & URLs: 142.11.200.x network, targeting /PSEMHUB/hub & /PSIGW/....
Motive: Pure extortion (marked by an insulting file left on hosts).
Nissan Locks Down Payroll
Containment: Secured networks, limited payroll access to VPN/corp devices.
Verification: Added strict identity checks for direct-deposit updates.
Support: Offered free credit and dark web monitoring for affected employees.
Attribution: Blamed “an unknown vulnerability”, avoiding naming attackers.
ACTIVE EXPLOITATION: The first patch to deal with this vulnerability was issued by Oracle on June 10, 2026. However, active exploitation of the flaw began on May 27, 2026, granting attackers a critical window of opportunity before defenses could be deployed.
© 2026 XCITIUM INC. ALL RIGHTS RESERVED.

Digital Fingerprints Left Behind

The technical analysis shows that the operation is quite systematic. First, hackers used remote management tools pretending to be Azure-related services under the names like meshagent64-azure-ops.exe. Second, command traffic was directed to the phishing site which was designed to resemble regular cloud-related activities – azurenetfiles[.]net.

Several IP addresses associated with the 142.11.200.x network were discovered. In particular, the hackers exploited two vulnerable web addresses: /PSEMHUB/hub and /PSIGW/HttpListeningConnector. Finally, an insulting file was placed on the compromised hosts to declare about the successful intrusion. These evidences show that the purpose of the attack was extortion rather than encryption.

Nissan Locks Down Payroll After the Breach

Once alerted, Nissan moved fast to contain the damage. It secured affected systems and brought in outside security specialists. Additionally, it restricted payroll access to corporate computers or a secure VPN.

Employees now face extra identity checks before changing direct-deposit details. Nissan also pledged free credit and dark web monitoring for those confirmed affected. Even so, the company blamed only “an unknown vulnerability” in Oracle’s software, stopping short of naming the attackers.

One Flaw, Hundreds of Victims

Nissan was far from alone in this campaign. The ShinyHunters group claimed to have compromised more than 300 PeopleSoft systems at over 100 organizations. Universities took the hardest hit, making up most of the confirmed targets. For example:

  • The University of Nottingham saw roughly 455,000 email addresses exposed.
  • The Council of Europe reportedly lost close to 300 GB of files.
  • Insurance regulators confirmed a related intrusion.

Consequently, Nissan looks like collateral damage in a mass hunt, rather than a single hand-picked target. That distinction matters, yet it offers affected employees little comfort.

A Carmaker That Keeps Getting Hit

This intrusion comes as part of a long series of problems that Nissan faces:

  • 2023: A cyber-attack on North America caused a data breach of 53,038 employees.
  • 2024: The Akira ransomware group hacked into Nissan Oceania, compromising around 100,000 individuals.
  • 2025: Cyber attackers stole terabytes of data from the company’s design subsidiary and its partner’s code storage system.
  • 2026: Another group warned that they will expose customer-related information, which involved millions of customers.

All the above incidents show us that there are certain vulnerabilities in the company’s network of various subsidiaries and suppliers. It is evident that the situation has deeper roots than just an isolated vulnerability.

The Auto Industry’s Growing Target on Its Back

This is indicative of a trend that is affecting the whole automobile industry. Ransomware and cyber espionage now account for the majority of automotive cybersecurity attacks. Ransomware accounted for 44% of all attacks in the automotive industry in 2025 according to industry tracking which was more than twice the number recorded in 2024.

Additionally, the average cost of an industrial sector breach hit $5.56 million in 2024, the largest increase of any sector. Increasing enterprise and third-party software makes the breach easier.

Notable examples are the CDK Global breach in 2024 which locked up 15,000 dealerships while in 2025 Jaguar Land Rover was hit by an attack which stopped global manufacturing for several weeks at a model cost of £1.9 billion.

Oracle’s Software Keeps Drawing Fire

However, it is not the only instance of such security breach within a short period of time. At the same moment, another important Oracle product became the target of an ongoing attack. Namely, the exploitation of CVE-2026-46817 vulnerability in Oracle E-Business Suite with a maximum severity rating of 9.8 became widespread.

The similarities are evident but these two cases are quite different. Similarly to the issue in PeopleSoft, this vulnerability does not require any authentication and can be exploited through plain HTTP requests. Nonetheless, it affects Oracle Payments and allows attackers to read system files using path traversal. In particular, the vulnerability was patched by Oracle in May 2026. Despite that fact, the exploitation of the vulnerability increased rapidly over the weekend of June 27.

The numbers are significant. The amount of internet-scanned exposed E-Business Suite instances equals over 450. Hundreds of exploitation attempts are made each day from different continents. Also, this case is similar to another wave of extortion in 2025, when the Cl0p gang used another Oracle’s vulnerability to compromise major universities and companies.

In sum, it shows a certain tendency, according to which Oracle’s enterprise software became a prime target for the hackers due to their on-premises deployment and dependency on customers’ timely patching. To learn about technical details of this vulnerability in E-Business Suite check CVE-2026-46817.

Conclusion: When a Zero-Day Reaches Payroll

The Nissan breach shows why enterprise HR and payroll systems are now high-value targets. Oracle PeopleSoft holds the kind of data attackers can monetize quickly, Social Security numbers, national IDs, banking details, tax records, contact information, dependents, and beneficiary data. Once that layer is exposed, the breach is no longer only technical. It becomes personal, financial, operational, and legal.

This is the danger of zero-day exploitation against business-critical systems. The attacker does not need to trick an employee or steal a password. They only need one exposed path into the software that already holds the data.

Why This Threat Matters

CVE-2026-35273 gave attackers a critical window before defenders could fully react. Nissan was not alone. The same PeopleSoft campaign reportedly affected many organizations, turning one enterprise software weakness into a broad data theft and extortion operation.

  • Unauthenticated access lowers the barrier to exploitation
  • HR and payroll systems store highly sensitive employee data
  • Exposed PeopleSoft endpoints can become direct breach paths
  • Remote management tools can help attackers maintain operational control
  • C2 infrastructure can disguise activity as cloud-related traffic
  • Data theft creates extortion pressure even without encryption

For enterprises, this incident proves that business applications are not back-office systems anymore. They are breach targets.

Where Xcitium Changes the Outcome

This attack must be addressed at two points, before known exposure remains open and before zero-day exploitation turns into uncontrolled execution.

Xcitium Vulnerability Assessment helps organizations identify exposed PeopleSoft systems, vulnerable versions, risky web paths, and patch gaps once the flaw becomes known.

But zero-days create a harder problem. Attackers can move before patching is complete.

That is where Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, changes the outcome.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Remote tools, scripts, payloads, C2 activity, and follow-on execution are stopped before they become operational impact.

This is Execution Governance in practice.
Control before trust. Enforcement before impact. Proof after control.

Zero-Days Expose the Limit of Waiting

The Nissan breach proves that patch timing alone cannot be the security model. When attackers exploit enterprise software before organizations can fully respond, the decisive control must exist at runtime.

Find exposure as soon as it becomes known.
Govern unknown execution before trust is granted.
Prove control before impact.

Like what you see? Share with a friend.

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo