The cybercriminal group ShinyHunters has exploited a critical zero-day vulnerability in Oracle’s PeopleSoft software, compromising over 100 organizations, predominantly within the education sector. This campaign, active between May 27 and June 9, 2026, targeted the Environment Management component of PeopleSoft, allowing unauthorized remote code execution.
Oracle’s PeopleSoft is a widely used enterprise resource planning (ERP) system that manages essential business functions such as human resources, payroll, finance, and student administration. The specific vulnerability, identified as CVE-2026-35273, affects PeopleTools versions 8.61 and 8.62. It enables attackers to execute arbitrary code on unpatched servers without requiring authentication, posing a significant risk to organizations relying on this software.
Google’s Mandiant division, which tracks ShinyHunters under the designation UNC6240, observed that the group exploited this vulnerability as a zero-day, meaning the attacks occurred before Oracle publicly disclosed the flaw on June 10, 2026. Mandiant’s analysis revealed that the attackers utilized a combination of known and previously unknown vulnerabilities, referred to as a “gadget chain,” to achieve remote code execution on targeted systems.
Among the affected institutions, the University of Nottingham confirmed a significant data breach. Approximately 500,000 records containing sensitive information such as names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities were exfiltrated. This incident underscores the severe impact of such vulnerabilities on organizations handling large volumes of personal data.
In response to these attacks, Oracle has issued an advisory recommending immediate mitigation measures. Organizations are advised to disable the Environment Management Hub service on multi-server setups or remove the PSEMHUB application on single-server configurations. Additionally, blocking external access to specific endpoints, such as /PSEMHUB/* and /PSIGW/HttpListeningConnector, is recommended to prevent unauthorized access.
Security researchers have identified that the attackers left their tools exposed, providing insights into their methods. The exposed directories contained custom remote-management agents disguised as legitimate Microsoft Azure binaries and scripts designed for lateral movement within networks. These tools facilitated the spread of the attack by attempting to connect to other PeopleSoft systems using common administrative credentials.
Organizations utilizing PeopleSoft are urged to analyze their logs for signs of suspicious activity and initiate incident response procedures if any indicators of compromise are detected. Given the widespread use of PeopleSoft in managing critical business operations, the exploitation of this vulnerability highlights the importance of timely patching and robust security practices to protect sensitive data.
This incident serves as a stark reminder of the evolving tactics employed by cybercriminal groups like ShinyHunters. Their ability to exploit zero-day vulnerabilities in widely used enterprise software underscores the need for organizations to maintain vigilant security postures, promptly apply patches, and implement comprehensive monitoring to detect and respond to threats effectively.
