The ShinyHunters extortion group has exploited a significant zero-day vulnerability in Oracle PeopleSoft, specifically affecting the PeopleTools component. This breach has primarily targeted universities, leading to data theft and extortion demands for keeping the information private.
Details of the Vulnerability
The flaw, identified as CVE-2026-35273, is a remote code execution vulnerability rated 9.8 out of 10 in severity. It does not require any user interaction or login credentials, only network access over HTTP to compromise the server. This vulnerability was active from May 27 to June 9, 2026, and remained unpatched until Oracle published an advisory on June 10.
Impact on Affected Institutions
According to Google’s Mandiant, the group behind the attack is tracked as UNC6240. The exploitation of this vulnerability has led to data breaches at over 100 organizations, with approximately 68% of the affected entities being in higher education, primarily in the United States. The University of Nottingham has been confirmed as one of the victims, with data from around 455,000 unique email addresses leaked, including sensitive personal information.
Mitigation and Response
Oracle’s guidance for mitigating the risk includes disabling the Environment Management Hub service in multi-server setups or removing the PSEMHUB application in single-server configurations. If these actions cannot be performed, organizations are advised to block external access to specific endpoints associated with the vulnerability. Mandiant has also recommended monitoring for signs of compromise, such as unusual access logs or unexpected files within the PeopleSoft directories.
Ongoing Threat and Future Implications
ShinyHunters has indicated that their outreach to victims has only recently begun, suggesting that more organizations may be affected. The method of exploiting a zero-day in on-premises ERP software marks a notable shift in their tactics, which have previously focused on SaaS and educational platforms. The implications of this breach raise questions about whether this is an isolated incident or a new trend in targeting enterprise resource planning systems.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
