--- url: "https://xcademia.com/news/shinyhunters-exploits-oracle-peoplesoft-zero-day-targets-universities-and-education-sector" title: "ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Targets Universities and Education Sector" description: "ShinyHunters exploited a critical Oracle PeopleSoft zero-day vulnerability, targeting higher education institutions in a large-scale extortion campaign." publishedAt: "2026-06-12T11:17:06.878+00:00" updatedAt: "2026-06-13T05:19:27.917785+00:00" type: news category: cybersecurity source_name: Google Cloud source_url: "https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/" tags: - "#CyberSecurity" - "#ThreatIntelligence" - "#ShinyHunters" - "#Oracle" - "#PeopleSoft" - "#ZeroDay" - "#EducationSector" - "#DataBreach" - "#Cybercrime" - "#Mandiant" - "#GoogleCloud" - "#RCE" - "#VulnerabilityManagement" --- # ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Targets Universities and Education Sector > ShinyHunters exploited a critical Oracle PeopleSoft zero-day (CVE-2026-35273) to target universities and educational institutions. The campaign enabled remote access, data theft, and extortion, exposing over 100 organizations before Oracle released security guidance. Source: **Google Cloud** · 12 June 2026 ## Introduction A newly disclosed cyberattack campaign has revealed that the notorious hacking group **ShinyHunters** is actively exploiting a critical Oracle PeopleSoft vulnerability to compromise organizations, particularly universities and colleges. According to Google's Mandiant and Google Threat Intelligence Group (GTIG), more than 100 organizations were identified as potentially exposed, with 68% belonging to the higher education sector. The attacks occurred before Oracle publicly released its security advisory, making this a genuine **zero-day exploitation campaign**. ## What Happened? Researchers attributed the attacks to **UNC6240**, a threat cluster associated with the cybercriminal group ShinyHunters. The attackers exploited **CVE-2026-35273**, a critical remote code execution (RCE) vulnerability affecting Oracle PeopleSoft's Environment Management component. The flaw carries a **CVSS score of 9.8**, indicating maximum severity. Google observed malicious activity between **May 27 and June 9, 2026**, before Oracle published mitigation guidance on June 10. During this period, attackers successfully scanned, compromised, and extorted victims. ## Why the Education Sector Was Targeted **The investigation found that:** - More than 100 organizations were notified by Google. - Most affected organizations were located in the United States. - Approximately 68% belonged to the higher education sector. - Universities and colleges using Oracle PeopleSoft for student records, finance, HR, and administrative systems were primary targets. **PeopleSoft is widely used across educational institutions to manage:** - Student information - Payroll systems - Human resources - Financial operations - Supply chain management Compromising these systems can provide attackers with access to large amounts of sensitive personal and institutional data. ## How the Attack Worked **Exploiting a Zero-Day Vulnerability** The attackers targeted exposed **PSEMHUB (PeopleSoft Environment Management Hub)** endpoints and exploited the vulnerability before a patch or advisory was available. **Deploying Disguised Remote Management Tools** Researchers discovered customized **MeshCentral** agents disguised as legitimate Microsoft Azure-related services. These tools allowed attackers to: - Execute remote commands - Conduct reconnaissance - Move laterally inside networks - Deploy extortion-related files - Prepare data for exfiltration **Data Theft and Extortion** Google linked the campaign to data leak activity published on the ShinyHunters leak site. Investigators observed evidence of: - Internal network mapping - Configuration harvesting - Credential abuse - Data compression for exfiltration - Extortion operations after data theft ## Key Insights Topic Details Incident ShinyHunters exploiting Oracle PeopleSoft zero-day Vulnerability CVE-2026-35273 Severity Critical (CVSS 9.8) Attack Type Remote Code Execution (RCE), Data Theft, Extortion Primary Targets Universities and Higher Education Institutions Organizations Notified 100+ Affected Sector 68% Higher Education Risk Level Critical Recommended Actions Apply Oracle mitigations, restrict PSEMHUB access, investigate compromise indicators ## Technical Analysis Google's investigation uncovered attacker-controlled infrastructure hosting malicious files and command histories. The threat actors used: - Customized MeshCentral agents Fake Azure-themed infrastructure - Internal network discovery commands - Automated lateral movement scripts - Data staging and compression tools for exfiltration Researchers also observed communication with attacker-controlled infrastructure designed to mimic legitimate cloud services, a common technique used to evade detection. ## Technical Explanation Imagine a university building where a maintenance door is accidentally left unlocked. Normally, attackers would need keys (usernames and passwords) to enter. However, this vulnerability allowed attackers to bypass the front entrance entirely and enter through that unlocked maintenance door. Once inside, they: 1. Explored the building. 2. Copied important documents. 3. Moved into other rooms. 4. Left ransom notes demanding payment. That is essentially what happened with the PeopleSoft vulnerability. The flaw allowed remote attackers to gain access without authentication and then move throughout the organization's systems. ## Recommended Defensive Actions Organizations running Oracle PeopleSoft should immediately: - Disable or remove the Environment Management Hub (EMHub) where possible. - Block external access to `/PSEMHUB/*`. - Review logs for suspicious POST requests targeting PSEMHUB services. - Search for unauthorized `.jsp` files within PeopleSoft web directories. - Monitor outbound SMB traffic from PeopleSoft servers. - Conduct forensic investigations for indicators of compromise. ### Example Log Hunting Commands ``` grep "POST /PSEMHUB/hub" access.log grep "POST /PSIGW/HttpListeningConnector" access.log ``` ### Detect Unexpected JSP Files ``` find /path/to/PSEMHUB.war -name "*.jsp" ``` Review any files that are not part of the official Oracle installation. ## Why This Matters This incident highlights a growing trend where cybercriminal groups are targeting enterprise applications used by universities and large organizations. Because PeopleSoft often stores student, employee, financial, and operational data, successful exploitation can result in large-scale data theft and extortion. The fact that attackers exploited the vulnerability before public disclosure demonstrates the importance of proactive monitoring, threat intelligence, and rapid security response. ## Original source https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/ ## Tags `#CyberSecurity` · `#ThreatIntelligence` · `#ShinyHunters` · `#Oracle` · `#PeopleSoft` · `#ZeroDay` · `#EducationSector` · `#DataBreach` · `#Cybercrime` · `#Mandiant` · `#GoogleCloud` · `#RCE` · `#VulnerabilityManagement` --- ## About this content This Markdown news article is the citation-grade twin of [ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Targets Universities and Education Sector](https://xcademia.com/news/shinyhunters-exploits-oracle-peoplesoft-zero-day-targets-universities-and-education-sector). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite. When citing or quoting, please attribute *Xcademia* and link back to the source URL above. - Source: https://xcademia.com/news/shinyhunters-exploits-oracle-peoplesoft-zero-day-targets-universities-and-education-sector - Publisher: Xcademia — https://xcademia.com - Catalogue index: https://xcademia.com/llms-full.txt