, ,

PeopleSoft attacks expose institutional cyber debt

Google’s Mandiant unit says ShinyHunters exploited an Oracle PeopleSoft zero-day in a campaign that reached more than 100 potentially vulnerable organisations.

PeopleSoft attacks expose institutional cyber debt
Summary
  • Google’s Mandiant and Threat Intelligence Group attribute an active PeopleSoft campaign to UNC6240, also known as ShinyHunters.
  • The campaign is consistent with exploitation of CVE-2026-35273 before Oracle’s 10 June advisory.
  • The incident exposes the risk concentrated in enterprise systems that manage HR, finance, student records, supply chains, and back-office data.

Google Cloud Security says its Mandiant and Threat Intelligence Group teams have identified an active compromise and extortion campaign targeting Oracle PeopleSoft infrastructure, attributing the activity to UNC6240, also known as ShinyHunters.

The activity was observed between 27 May and 9 June and is consistent with exploitation of CVE-2026-35273, a critical remote code execution vulnerability in the PeopleSoft Environment Management component. Google says the activity predated Oracle’s 10 June advisory, making it a zero-day campaign.

The company’s technical write-up says Google notified more than 100 global organisations whose IP addresses correlated with potentially vulnerable endpoints. Most of those organisations were in the United States, and 68% operated in higher education.

Oracle PeopleSoft is not fashionable enterprise software, but that is part of the risk profile. Systems used for HR, payroll, finance, student records, supply chains, and campus operations often sit deep inside institutions and remain critical long after executive attention has moved elsewhere. A vulnerability in that layer can expose data with direct operational, legal, and reputational consequences.

Google’s analysis says the attackers hosted customised MeshCentral agents disguised as legitimate cloud endpoints, using them to run administrative commands and support lateral movement. The recommended defensive steps include disabling or removing the Environment Management Hub service where possible, blocking external access to relevant paths, checking WebLogic access logs, reviewing web-tier filesystems for unexpected JSP files, and monitoring outbound SMB traffic.

Oracle has issued security guidance for the vulnerability. Google’s analysis treats the pre-advisory activity as zero-day exploitation, while Oracle’s public security-alert structure provides the vendor route for customers checking affected versions, patches, and mitigations.

The sector pattern is significant because higher education combines open networks, large populations, legacy platforms, research partnerships, international users, and complicated data-retention obligations. Universities are not unique in carrying this risk, but they show how attackers can use shared enterprise software exposure to reach institutions with large stores of personal and administrative data.

The incident also exposes a wider problem in institutional cyber resilience. Back-office systems are often described as administrative, yet they carry payroll, finance, procurement, student, employee, and supplier data. If those systems are compromised, the impact reaches identity protection, service continuity, regulatory reporting, contractual obligations, and trust in the institution.

Security teams need to follow Oracle and Google’s guidance, check exposure, and search for signs of compromise. The longer-term work sits with governance and investment. Asset visibility, patch capacity, third-party maintenance arrangements, segmentation, logging, and incident response all determine whether a flaw in a mature enterprise platform becomes a contained event or a public crisis.

PeopleSoft’s age does not make it marginal. In many large organisations, older enterprise systems remain the administrative spine. Attackers understand that continuity depends on those systems, even when modernisation plans, cloud migration programmes, and AI pilots dominate boardroom attention.