ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities and Enterprise Systems

 

A breach tied to the hacking collective ShinyHunters emerged during a wave of intrusions leveraging an undisclosed weakness in Oracle PeopleSoft platforms. Unauthorized entry occurred because security gaps went unpatched - access followed swiftly after initial compromise. Data theft unfolded across multiple campuses and research-focused entities throughout May into June's first days. Evidence gathered by Google Cloud Mandiant analysts pointed directly toward systemic exploitation prior to any public alert from Oracle. Control over affected servers enabled extraction of confidential information before patches were available. 

One security team links these actions to a hacking cluster known internally as UNC6240. Exploiting a weakness labeled CVE-2026-35273, they triggered unauthorized code on Oracle PeopleSoft systems. This issue sits near the top of risk scales - rated 9.8/10 - given how easily it can be abused. With nothing more than an open HTTP connection, intruders bypass login checks entirely. Access unfolds remotely; no clicks or credentials required by victims. 

Within the PeopleSoft platform, the weakness lies specifically in the Environment Management Hub. Though Oracle officially acknowledged issues in PeopleTools 8.61 and 8.62, earlier versions - no longer supported - could still face risks. Because exploitation began prior to Oracle's public notice, the vulnerability acted like a real zero-day during the entire attack period. Hidden weaknesses emerged when hackers mistakenly left key systems visible on the web. 

A closer look revealed open servers storing malware frameworks, communication hubs, admin utilities masked as legitimate cloud documents, along with automation codes designed to navigate internal corporate environments. Spread through connected devices began once access was gained, followed by bundling sensitive material before sending it toward platforms tied to ShinyHunters’ operations. Mandiant found over 100 groups facing possible system exposure, alerting each to the danger. Higher education made up close to 68% of these cases, primarily within the U.S. 

While certain schools stopped threats in time, several faced verified intrusions alongside leaked information. Among the earliest cases made public stood the University of Nottingham. Reports tracking data leaks indicate the exposed records include around 455,000 distinct email addresses, followed by private details such as full names, residential locations, telephone numbers, passport identifiers, ethnic background, and data tied to disabilities. Confirmation of the event came directly from the institution itself. 

Turning off the Environment Management Hub service is a step Oracle suggests when feasible, while limiting outside connections to vulnerable endpoints. Experts in cybersecurity point out that checking system logs matters, along with hunting down odd-looking files. Uncommon patterns in data leaving the network should catch attention. Applying fixes from Oracle promptly stands as another measure worth taking. 

Surprisingly, ShinyHunters once stuck to phishing, compromised logins, or manipulating people through psychological tricks. Now, though - using a previously unknown flaw in server software suggests their methods have taken a sharper turn. This shift hints at ERP platforms being eyed more closely going forward, even if nothing is certain yet.