...

ServiceNow, Then PeopleSoft: Why the Same Endpoint Failure Keeps Repeating

Picture of Puneet Tutliani
Puneet Tutliani
Co-founder & CEO

TL;DR 

  • ServiceNow disclosed in June 2026 that a misconfigured endpoint exposed customer data to anyone who asked, no authentication required.
  • Three weeks later, Nissan disclosed a breach exposing SSNs, banking data, and payroll records for employees in the US, Canada, Mexico, and Brazil; root cause: an unauthenticated SSRF-to-RCE flaw in Oracle PeopleSoft.
  • Different vendors, different products, identical root failure: an endpoint that never checked who was calling.
  • In the PeopleSoft case, access wasn’t the whole attack. Attackers chained it into RCE, disguised persistence, internal recon, and staged exfiltration.
  • Volume-based detection catches spikes. Business logic security catches the failure itself; missing authorization checks and the chains they enable at any stage, before data leaves.

A Pattern, Not a One-Off 

Three weeks ago, it was ServiceNow: an endpoint that never asked who was calling, exposing customer data to anyone who asked. This time it’s Oracle PeopleSoft, exploited at scale by the threat actor ShinyHunters. 

Two platforms, two different vendors, the same root failure: an endpoint that skipped the one question it existed to ask. That’s not a coincidence you write off as bad luck at two companies. It’s a pattern, and it’s worth naming as one before a third company becomes the next case study.

ServiceNow (June 2026) Oracle PeopleSoft (May–June 2026)
Endpoint misconfiguration skipped an authentication check  Endpoint had no authentication check at all, chained into RCE
Customer data exposed to any callerEmployee SSNs, banking data, and payroll records exposed
Single-stage exposure; no further exploitation neededMulti-stage attack: RCE, disguised persistence, recon, staged exfiltration
Missed because requests were technically valid 
Missed because each stage looked like routine ERP traffic

What Happened

On June 5, 2026, ServiceNow pushed a security update to hosted customer instances after discovering that an endpoint let unauthenticated users access more data than intended; no exploit, no credentials, just a boundary that should have required authentication and didn’t. Defenders outside the initially disclosed scope later reported evidence of external access in their own logs. We covered that incident in detail here

Three weeks later, a structurally similar story played out at a different company running a different platform.

Nissan Americas confirmed in a filing with the California Attorney General’s office that current and former employees across the US, Canada, Mexico, and Brazil may have had Social Security numbers, banking details, payroll records, and tax data exposed. Nissan uses Oracle PeopleSoft to manage payroll, tax administration, and personnel records for its Americas workforce. 

Nissan wasn’t targeted alone. The ShinyHunters extortion group, tracked by Mandiant and Google’s Threat Intelligence Group as UNC6240, ran the campaign at scale: 

  • 300+ PeopleSoft instances compromised 
  • 100+ organizations affected 
  • 14 days of active exploitation before a patch existed 

Exploitation ran May 27 to June 9, 2026, two weeks before Oracle’s June 10 emergency patch, and well before the CVE landed on CISA’s Known Exploited Vulnerabilities catalog. 

The entry point, CVE-2026-35273, is an unauthenticated SSRF flaw in PeopleSoft’s PSEMHUB component, rated CVSS 9.8, exploitable over plain HTTP with no credentials. From there, attackers chained it into full remote code execution, deployed remote-access agents disguised as Azure services, mapped PeopleSoft configuration data, and compressed records before moving them out. 

Why This Is a Business Logic Flaw 

Every breach retrospective wants one root cause. Here it’s tempting to say “unauthenticated endpoint” and stop. That’s accurate, but it’s not the whole story. 

The endpoint is where this attack started. It’s not what made it a breach. What made it a breach was everything that happened next: RCE, disguised persistence, internal recon, staged exfiltration, none of which required a credential, and none of which was being watched. 

Call this “an unauthenticated API endpoint” and the story stops at stage one. Follow what happened after access, and a different picture forms: five stages, only one of which is authentication. 

  • Unauthenticated access: The door with no lock. Most coverage stops here. 
  • SSRF chained into RCE: Should this endpoint ever be able to trigger code execution at all? 
  • Disguised persistence: Does this system have any legitimate reason to talk to this destination? 
  • Internal reconnaissance: Is this the pattern of a scheduled job, or of something exploring? 
  • Staged, compressed exfiltration: Has HR data ever left through this path before? 

None of stages two through five are about credentials. They’re about whether an action fits the workflow it claims to be part of, and that only shows up if something is mapping the workflow itself, not just checking who’s logged in. 

Why It Matters 

A zero-day means the patch didn’t exist yet. It doesn’t mean the attack was invisible. Every stage after initial access was a workflow anomaly, and workflow anomalies don’t need a known CVE to be caught. 

  • “Internal” isn’t a security tier. PeopleSoft gets treated as back-office infrastructure, not an internet-facing attack surface. That assumption let a critical, unauthenticated, HTTP-reachable RCE sit unnoticed across 300+ instances. 
  • Patch timing can’t be the primary control. Nissan’s exposure window closed before Oracle’s advisory even existed. “Patch fast” always loses to a flaw nobody has named yet. 
  • Attackers now design around behavioral detection. Disguised C2 traffic and compressed, staged exfiltration are both deliberate moves to stay under volume-based thresholds. 
  • The blast radius is a business question. This was SSNs, banking details, and payroll data for a global workforce, the kind of exposure that turns into identity theft and years of downstream liability. 

Where This Should Have Been Stopped 

Authentication is one control, and it failed here, but it was never going to catch stages two through five. Closing that gap means watching the business logic path an attack takes, not just the door it walked through. 

See the endpoint before an attacker does 

AppSentinels’ discovery and posture management continuously maps every API and endpoint, including the shadow and orphaned ones legacy ERP platforms accumulate over time, the kind of exposure PSEMHUB represents, surfaced before it becomes an advisory. 

Model what a legitimate workflow looks like 

AppSentinels builds a business logic graph of how users, APIs, and systems are supposed to interact. A payroll system pulling one employee’s record is normal. The same system chaining into compressed bulk transfer is not regardless of whether the volume looks unusual on its own. 

Catch the chain at any stage, not just the exfil 

Waiting for the bulk transfer to trigger an alert means the attacker already won stages one through four. AppSentinels’ runtime protection flags and blocks business logic violations in real time, including at the access and reconnaissance stages. 

Move from visibility to intent 

Knowing a system can reach an endpoint isn’t enough. The real question is whether what it’s doing there matches business intent visibility isn’t security, understanding intent is. 

The Key Takeaway 

Unauthenticated endpoints will keep shipping. Zero-days will keep landing before patches exist. Neither is fully preventable. What is preventable is treating everything after initial access as invisible by default. Four of five stages here had nothing to do with credentials and none were caught, because nothing was checking whether they matched the workflow they claimed to be part of. Business logic security closes that gap, at whichever stage the attacker is standing in.

Schedule a demo to get a walkthrough of how AppSentinels maps your API and AI attack surface before an attacker does. 

FAQs

1. What is business logic security? +

Business logic security protects the workflows, rules, and sequences of actions that govern how an application is supposed to operate, not just individual technical controls like authentication. It catches abuse where no single step looks malicious on its own, but the sequence doesn’t fit the system’s intent.

2. What is a business logic graph? +

A live map of how users, APIs, and systems are meant to interact within an application: expected sequences, roles, and data flows. It gives security tools a baseline of legitimate behavior, so deviations can be flagged even when the individual requests involved are technically valid.

3. How is business logic security different from traditional API security? +

Traditional API security focuses on known vulnerability classes at a single endpoint: injection, broken auth, misconfiguration. Business logic security looks at how multiple valid calls chain together across a workflow, catching abuse that uses legitimate functionality in unintended ways.

4. Why do zero-day exploits often go undetected until it’s too late? +

No patch or signature exists yet, so detection relying on known vulnerabilities can’t catch the initial exploit. But what an attacker does after gaining access, recon, lateral movement, data staging, is often visible as a workflow anomaly, even when the entry technique itself is unknown.

5. How can organizations tell if their APIs are exposed to business logic abuse? +

Start with continuous API discovery to find every endpoint in use, including undocumented or legacy ones. From there, map the expected sequence of calls for each critical workflow and monitor for deviations: calls out of order, unusual volumes, or sources with no legitimate reason to be in that workflow. Traditional vulnerability scanning won’t surface this, since it looks for known flaws rather than misuse of valid functionality.

Table of Contents

Related Content