In a significant cybersecurity breach, the ShinyHunters group has exploited a previously unaddressed vulnerability in Oracle PeopleSoft to infiltrate enterprise systems. Their campaign has primarily targeted universities, leveraging the exploit to extract sensitive data while demanding ransom payments for its confidentiality. The operation was observed between May 27 and June 9, 2023, with Google’s Mandiant attributing the activity to a hacker group identified as UNC6240.
The specific vulnerability involved is noted as CVE-2026-35273, categorized as a remote code execution flaw within the PeopleSoft Enterprise PeopleTools, which has received a severity score of 9.8 out of 10. This flaw can be exploited without requiring any login credentials or user interaction, implying that it can be weaponized over an HTTP connection. Organizations, particularly those using an external Environment Management Hub, are at heightened risk and should consider immediate protective measures such as restricting external access to their endpoints.
The vulnerability resides within the Updates Environment Management component of PeopleSoft. Both PeopleTools versions 8.61 and 8.62 are listed as affected, with earlier versions likely vulnerable as well. Recognition is given to the researchers from TrendAI Zero Day Initiative and TrendAI Research for bringing this exploit to light. Given that Oracle did not make an official advisory known until June 10, the vulnerability effectively served as a zero-day, leaving numerous organizations exposed during this window.
Mandiant’s Chief Technology Officer, Charles Carmakal, has confirmed that the vulnerability is actively being exploited. Oracle’s advisory mentions the existence of a patch, but its availability remains unclear for broader implementation. While mitigation strategies are being suggested, the effectiveness of these measures has been called into question, particularly when relying on web application firewall rules alone, which attackers may bypass.
One prominent victim of this exploitation is the University of Nottingham, which has experienced confirmed data breaches affecting approximately 455,000 unique email addresses, including sensitive personal information. Oracle’s recommendations to secure vulnerable installations emphasize disabling the Environment Management Hub on multi-server configurations and restricting access accordingly on single-server setups.
According to Mandiant, a majority of the organizations alerted concerning this exploit are educational institutions based primarily in the United States. While some have successfully blocked illicit activities, others have reportedly fallen victim to data theft, with evidence suggesting that efforts to notify affected entities are ongoing. As ShinyHunters escalates its efforts with a blend of social engineering tactics, this recent exploitation marks a more aggressive approach that poses increased risks to data-rich sectors.
Attention now shifts to whether this signifies a shift in ShinyHunters’ operational methodology, moving beyond conventional tactics such as phishing and token theft to serious exploitations involving zero-day vulnerabilities in enterprise software. This breach highlights the ongoing necessity for robust cybersecurity measures and constant vigilance within organizational security postures to guard against such evolving threats.
The tactics and techniques likely utilized in this infiltration align with the MITRE ATT&CK framework, suggesting initial access through exploitation of the vulnerability, followed by persistence strategies implemented through the deployment of custom scripts and management agents. Organizations must remain aware of these adversary tactics to enhance defenses effectively and proactively manage cybersecurity threats.