Google has verified that a critical vulnerability in PeopleSoft, addressed by Oracle this week, has been actively exploited by the cybercriminal group ShinyHunters. This exploitation involved a zero-day attack to extract sensitive information from various organizations.
Details of the PeopleSoft Vulnerability
Oracle issued an urgent advisory regarding CVE-2026-35273, a severe unauthenticated remote code execution vulnerability affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, along with PeopleSoft Enterprise Applications. Although Oracle has provided interim mitigations, full patches have yet to be released.
PeopleSoft is a widely utilized enterprise resource planning (ERP) software suite that supports multiple organizational functions such as human resources, finance, and supply chain management. Despite its broad usage across sectors, the ShinyHunters’ focus appears to have been the education industry, with the University of Nottingham in the UK being the first confirmed victim.
Extent and Impact of Exploitation
Between May 27 and June 9, Mandiant and the Google Threat Intelligence Group (GTIG) detected activities linked to the exploitation of this zero-day vulnerability. The campaign, attributed to the ShinyHunters group, known as UNC6240, has seen significant targeting of higher education institutions, especially within the United States.
Google has alerted over 100 international organizations about potential vulnerabilities, noting that 68% are in the higher education sector. While some organizations successfully thwarted the attacks, others experienced system breaches and data theft.
ShinyHunters’ Attack Strategy and Consequences
ShinyHunters reportedly targeted approximately 300 PeopleSoft instances, impacting around 100 organizations. The attackers employed customized MeshCentral agents disguised as legitimate cloud services for executing administrative commands and spreading a specialized lateral movement and defacement script, leading to data leaks.
Google has provided detailed guidance on remediation measures and shared technical insights on the attack methodologies and indicators of compromise (IoCs). However, Oracle has yet to comment on the exploitation reports.
TrendAI, part of Trend Micro’s enterprise division, credited with reporting the vulnerability, stated that instances of exploitation remain limited, though their investigation continues.
As vulnerabilities like these pose significant risks, organizations are urged to implement Oracle’s recommended security measures promptly to protect their systems and data.
