CISA flags Oracle PeopleSoft flaw exploited to breach 100+ schools

ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Breaching More Than 100 Universities and Organizations

The cybercrime group ShinyHunters exploited a critical zero-day vulnerability in Oracle PeopleSoft to breach more than 100 organizations — most of them universities — between May 27 and June 9, according to Google’s Mandiant threat intelligence team and multiple security researchers.csoonline

The Vulnerability and Attack Campaign

The flaw, tracked as CVE-2026-35273 and carrying a CVSS score of 9.8, is an unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools’ Environment Management Hub component. It affects versions 8.61 and 8.62, requires no login or user interaction, and gives attackers full server takeover through network access over HTTP.oracle

Google’s Threat Intelligence Group, which tracks ShinyHunters as UNC6240, said it notified more than 100 global organizations of potential exposure. Sixty-eight percent of identified targets were in the higher education sector, with most based in the United States. The hackers claimed to have stolen student records including home addresses, phone numbers, emails, and dates of birth, according to TechCrunch, which reported that a ShinyHunters member confirmed the campaign.techcrunch

The attack unfolded entirely before Oracle acknowledged the issue. Oracle published its out-of-band security advisory on June 10, meaning every compromised organization was hit while no patch existed.thehackernews

Federal Response and Mitigation

On June 12, CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate the flaw. Oracle’s guidance calls on organizations to disable the Environment Management Hub service entirely or block external access to the `/PSEMHUB/*` and `/PSIGW/HttpListeningConnector` endpoints at the network perimeter.securityaffairs

Mandiant warned that relying solely on web application firewall rules is insufficient, as these controls can be bypassed. Organizations were urged to hunt for indicators of compromise including unexpected JSP files, outbound SMB traffic on port 445, and recently modified XML files that could enable persistence across restarts.thehackernews

Broader Context

The PeopleSoft campaign marks ShinyHunters’ second major strike against the education sector in recent weeks. The group previously breached Instructure’s Canvas learning management system in May, disrupting final exams at colleges nationwide. Security firm Pathlock noted that attackers left calling cards in the form of files named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT” on compromised servers, and that ShinyHunters continues to extort affected institutions by threatening to publish stolen data.highereddive