The ShinyHunters cybercriminal group has capitalized on a newly discovered security flaw in Oracle PeopleSoft to infiltrate enterprise systems, pilfer sensitive data, and demand ransom. Higher education institutions have been most affected by this breach.
Understanding the Exploit
According to Google’s Mandiant, the group identified as UNC6240 conducted activities from May 27 to June 9. Oracle’s advisory was published on June 10, confirming the flaw was exploited as a zero-day vulnerability during this period. The identified flaw, CVE-2026-35273, is a remote code execution issue in PeopleSoft Enterprise PeopleTools, with a critical severity score of 9.8 out of 10.
This vulnerability allows attackers to assume control of servers through network access over HTTP without requiring user credentials or interaction. Systems using PeopleSoft with externally accessible Environment Management Hubs are particularly at risk, necessitating immediate security measures to restrict endpoint access.
Technical Details and Implications
The vulnerability resides in the Updates Environment Management component, specifically affecting PeopleTools versions 8.61 and 8.62. Oracle has also indicated that older, unsupported versions may be susceptible. The flaw was initially reported by researchers from TrendAI Zero Day Initiative and TrendAI Research.
Mandiant’s Chief Technology Officer, Charles Carmakal, confirmed active exploitation of this bug. However, Oracle has yet to provide a comprehensive fix. The current focus is on mitigating the risk by disabling the Environment Management Hub service or limiting external access to certain endpoints.
Impact and Response
The breach has exposed multiple vulnerabilities due to the attackers leaving their own infrastructure open. Mandiant found five servers running Python’s SimpleHTTP server on port 8888, which displayed sensitive staging files.
Approximately 100 organizations have been notified by Mandiant, with 68% belonging to the higher education sector, predominantly in the United States. Some institutions successfully blocked the attack, while others were compromised, leading to data leaks.
The University of Nottingham confirmed a breach, with Have I Been Pwned documenting around 455,000 unique email addresses leaked. This data includes personal information such as names, addresses, and other sensitive details.
Preventive Measures and Future Outlook
Oracle advises disabling or removing the Environment Management Hub service to mitigate risks. Additionally, further measures include monitoring WebLogic access logs for suspicious activity and applying Oracle’s updates when available.
As ShinyHunters continue to target high-value data sources, organizations must bolster cybersecurity defenses against potential ERP software exploitation. The group’s evolving tactics pose ongoing threats, suggesting the need for vigilant monitoring and proactive security strategies.
