A critical Oracle PeopleSoft vulnerability is being actively exploited by attackers linked to ShinyHunters, putting more than 100 organizations, especially universities, at risk.
Quick Summary – TLDR:
- ShinyHunters linked attackers exploited a critical Oracle PeopleSoft zero day before Oracle publicly disclosed it.
- More than 100 organizations were identified as potentially exposed, with 68% belonging to the higher education sector.
- Attackers allegedly stole sensitive student, billing, payment, and campus data and published some of it on a data leak site.
- Security researchers are urging organizations to apply mitigations immediately and review systems for signs of compromise.
What Happened?
Security researchers from Google Threat Intelligence Group (GTIG) and Mandiant have linked an ongoing extortion campaign to the exploitation of a critical Oracle PeopleSoft vulnerability tracked as CVE-2026-35273. The flaw affects the Environment Management component of PeopleSoft and allows attackers to execute code remotely without authentication.
The campaign was observed between May 27 and June 9, 2026, several days before Oracle publicly warned customers about the vulnerability, making it a true zero day attack.
🚨 ShinyHunters is exploiting an Oracle PeopleSoft vulnerability (CVE-2026-35273) as part of an extortion campaign targeting higher education.
— Mandiant (part of Google Cloud) (@Mandiant) June 11, 2026
Read the full analysis, and get IOCs and remediation guidance to stay ahead of the threat: https://t.co/Tk1qTbMkEy pic.twitter.com/PFZZbYa6II
Attackers Target Universities and Large Organizations
According to researchers, the campaign primarily targeted organizations running internet facing Oracle PeopleSoft environments. More than 100 organizations worldwide were identified as potentially exposed, with the majority located in the United States.
One of the most striking findings was the concentration of victims in the education sector. Researchers found that 68% of identified targets were universities and higher education institutions, making academic organizations the primary focus of the campaign.
While some organizations successfully blocked the intrusion attempts or quickly remediated vulnerable systems, others suffered confirmed compromises. In those cases, stolen information was later published on the ShinyHunters Data Leak Site.
The attackers claimed to possess more than 40 GB of sensitive information, including billing records, payment details, student finance information, and campus portal exports.
Oracle Confirms Critical Security Risk
Oracle issued a security advisory warning customers about the flaw and recommended immediate action. The vulnerability carries a CVSS score of 9.8, placing it among the most severe security issues.
The flaw affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Oracle advised customers to implement available mitigations and ensure they are running supported software versions.
Researchers noted that the vulnerability can be exploited remotely through the internet without requiring a username, password, or any other form of authentication. This significantly lowers the barrier for attackers seeking initial access.
Customized Tools Helped Attackers Maintain Access
After gaining entry, the threat actors deployed a customized version of MeshCentral, an open source remote management platform commonly used for legitimate administrative purposes.
Investigators discovered that the attackers disguised the software as Microsoft Azure related services using filenames designed to appear legitimate. The malware communicated with infrastructure that mimicked trusted cloud services, helping it avoid suspicion.
Once installed, the tool allowed attackers to execute commands remotely, perform reconnaissance, and maintain ongoing access to compromised environments.
Researchers also uncovered evidence of scripts designed to spread across internal systems, conduct credential spraying, and leave extortion messages on affected servers.
Attacker Mistakes Exposed the Operation
The investigation gained momentum after security researcher @nahamike01 discovered publicly accessible attacker infrastructure.
Exposed directories revealed staging materials, customized malware, command histories, and operational artifacts that gave researchers an unusual look into how the campaign was conducted.
Google investigators analyzed five exposed servers that contained attacker tools, deployment files, and records of commands executed against victim environments. These operational mistakes helped researchers better understand the tactics, infrastructure, and objectives behind the attacks.
Security Experts Warn of Growing ERP Threats
The incident highlights the growing focus on enterprise resource planning systems, which often contain highly sensitive business and personal information.
James Davison, Chief Strategy Officer at Pathlock, warned that ERP platforms are becoming increasingly attractive targets for attackers. He stressed that organizations need stronger security controls, continuous monitoring, and better visibility into user activity to identify suspicious behavior before major damage occurs.
Researchers are urging organizations running Oracle PeopleSoft to review logs, investigate unusual activity, restrict access to sensitive endpoints, monitor for unauthorized MeshCentral installations, and apply Oracle’s recommended mitigations as quickly as possible.
SQ Magazine Takeaway
I think this attack stands out because it shows how valuable ERP systems have become to cybercriminals. Universities and large organizations store enormous amounts of financial, employee, and student information in PeopleSoft environments.
When a vulnerability can be exploited without authentication, attackers gain a significant advantage. The fact that this campaign began before Oracle publicly disclosed the flaw makes it even more concerning. For organizations still relying on exposed PeopleSoft systems, this should be treated as an immediate security priority rather than a routine software update.
