ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Targets Universities and Education Sector
ShinyHunters exploited a critical Oracle PeopleSoft zero-day (CVE-2026-35273) to target universities and educational institutions. The campaign enabled remote access, data theft, and extortion, exposing over 100 organizations before Oracle released security guidance.
Xcademia Team
Introduction
A newly disclosed cyberattack campaign has revealed that the notorious hacking group ShinyHunters is actively exploiting a critical Oracle PeopleSoft vulnerability to compromise organizations, particularly universities and colleges. According to Google's Mandiant and Google Threat Intelligence Group (GTIG), more than 100 organizations were identified as potentially exposed, with 68% belonging to the higher education sector.
The attacks occurred before Oracle publicly released its security advisory, making this a genuine zero-day exploitation campaign.
What Happened?
Researchers attributed the attacks to UNC6240, a threat cluster associated with the cybercriminal group ShinyHunters. The attackers exploited CVE-2026-35273, a critical remote code execution (RCE) vulnerability affecting Oracle PeopleSoft's Environment Management component. The flaw carries a CVSS score of 9.8, indicating maximum severity.
Google observed malicious activity between May 27 and June 9, 2026, before Oracle published mitigation guidance on June 10. During this period, attackers successfully scanned, compromised, and extorted victims.
Why the Education Sector Was Targeted
The investigation found that:
More than 100 organizations were notified by Google.
Most affected organizations were located in the United States.
Approximately 68% belonged to the higher education sector.
Universities and colleges using Oracle PeopleSoft for student records, finance, HR, and administrative systems were primary targets.
PeopleSoft is widely used across educational institutions to manage:
Student information
Payroll systems
Human resources
Financial operations
Supply chain management
Compromising these systems can provide attackers with access to large amounts of sensitive personal and institutional data.
How the Attack Worked
Exploiting a Zero-Day Vulnerability
The attackers targeted exposed PSEMHUB (PeopleSoft Environment Management Hub) endpoints and exploited the vulnerability before a patch or advisory was available.
Deploying Disguised Remote Management Tools
Researchers discovered customized MeshCentral agents disguised as legitimate Microsoft Azure-related services. These tools allowed attackers to:
Execute remote commands
Conduct reconnaissance
Move laterally inside networks
Deploy extortion-related files
Prepare data for exfiltration
Data Theft and Extortion
Google linked the campaign to data leak activity published on the ShinyHunters leak site. Investigators observed evidence of:
Internal network mapping
Configuration harvesting
Credential abuse
Data compression for exfiltration
Extortion operations after data theft
Key Insights
Topic | Details |
|---|---|
Incident | ShinyHunters exploiting Oracle PeopleSoft zero-day |
Vulnerability | CVE-2026-35273 |
Severity | Critical (CVSS 9.8) |
Attack Type | Remote Code Execution (RCE), Data Theft, Extortion |
Primary Targets | Universities and Higher Education Institutions |
Organizations Notified | 100+ |
Affected Sector | 68% Higher Education |
Risk Level | Critical |
Recommended Actions | Apply Oracle mitigations, restrict PSEMHUB access, investigate compromise indicators |
Technical Analysis
Google's investigation uncovered attacker-controlled infrastructure hosting malicious files and command histories. The threat actors used:
Customized MeshCentral agents
Fake Azure-themed infrastructure
Internal network discovery commands
Automated lateral movement scripts
Data staging and compression tools for exfiltration
Researchers also observed communication with attacker-controlled infrastructure designed to mimic legitimate cloud services, a common technique used to evade detection.
Technical Explanation
Imagine a university building where a maintenance door is accidentally left unlocked.
Normally, attackers would need keys (usernames and passwords) to enter. However, this vulnerability allowed attackers to bypass the front entrance entirely and enter through that unlocked maintenance door.
Once inside, they:
Explored the building.
Copied important documents.
Moved into other rooms.
Left ransom notes demanding payment.
That is essentially what happened with the PeopleSoft vulnerability. The flaw allowed remote attackers to gain access without authentication and then move throughout the organization's systems.
Recommended Defensive Actions
Organizations running Oracle PeopleSoft should immediately:
Disable or remove the Environment Management Hub (EMHub) where possible.
Block external access to
/PSEMHUB/*.Review logs for suspicious POST requests targeting PSEMHUB services.
Search for unauthorized
.jspfiles within PeopleSoft web directories.Monitor outbound SMB traffic from PeopleSoft servers.
Conduct forensic investigations for indicators of compromise.
Example Log Hunting Commands
grep "POST /PSEMHUB/hub" access.log
grep "POST /PSIGW/HttpListeningConnector" access.logDetect Unexpected JSP Files
find /path/to/PSEMHUB.war -name "*.jsp"Review any files that are not part of the official Oracle installation.
Why This Matters
This incident highlights a growing trend where cybercriminal groups are targeting enterprise applications used by universities and large organizations. Because PeopleSoft often stores student, employee, financial, and operational data, successful exploitation can result in large-scale data theft and extortion. The fact that attackers exploited the vulnerability before public disclosure demonstrates the importance of proactive monitoring, threat intelligence, and rapid security response.
Source: Google Cloud
About the Author