Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft

More than 100 organizations, about two-thirds in higher education, have been notified of potential impact.

Published June 12, 2026
David Jones's headshot
Reporter
Oracle's Silicon Valley corporate headquarters in Redwood, California pictured on September 9, 2019.
Oracle's Silicon Valley corporate headquarters in Redwood, California pictured on September 9, 2019. The ShinyHunters threat group has been linked to a May 2026 campaign targeting enterprise users of Oracle PeopleSoft PeopleTools. Getty Images

A zero-day vulnerability in Oracle PeopleSoft has been exploited in a widespread cyberattack campaign linked to the ShinyHunters threat group, according to a report released Thursday by Mandiant. 

Mandiant, the incident response unit of Google, has notified more than 100 global organizations that might have been affected in the attacks. Most of the organizations were in the U.S., and more than two-thirds of them were colleges and universities.

One of those struck was the University of Nottingham, which said a “significant amount of data” in its student records was compromised. 

"This is now the subject of a criminal investigation,” a spokesperson told Cybersecurity Dive. “We are working with the third party that maintains the platform to investigate and we will continue to support the police with their enquiries.”

Opening cyber salvo

The hackers targeted Oracle PeopleSoft servers between May 27 and June 9, by exploiting a critical remote-code execution vulnerability tracked as CVE-2026-35273 in the product’s Environment Management component. The flaw has a severity score of 9.8. 

Oracle released a security advisory warning that the vulnerability in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 could be exploited remotely, without the need for authentication. 

The software company in its advisory did not immediately link the flaw to any particular campaign, but urged immediate action and labeled its recommendations in the alert as “high-priority risk reduction” measures.

The attacker infrastructure included customized MeshCentral agents that were disguised as legitimate cloud endpoints, according to Mandiant. MeshCentral is an open source platform that enables a user to remotely manage a computer from any location. 

Mandiant noted that some of the targeted organizations were able to block the attack or remediate the vulnerability. Other organizations were compromised, and their stolen information was posted on a ShinyHunters data leak site on Tuesday. 

Researchers from Censys observed 40 internet-facing PeopleSoft hosts worldwide, a number they called a conservative estimate. The firm found a similar number during a review of exposed instances from May 26. 

Halcyon researchers, meanwhile, said the attack is part of a recent pattern by ShinyHunters, as the group was linked to the campaign against Instructure, the firm behind the Canvas Learning Management System. 

“The extensive infiltrated data from universities in the case of PeopleSoft and Canvas continue to provide ShinyHunters an avenue to conduct targeted campaigns against faculty and students, including phishing and extortion,” said Erika Totaro, intelligence analyst at the Halcyon Ransomware Research Center. 

How to defend

Mandiant is urging users to disable the Environment Management Hub in multi-server configurations or remove the PSEM hub in single-server configurations. The PSEM hub is a web application within PeopleSoft Internet Architecture, which allows users to access PeopleSoft applications with a web browser.

Users should also monitor outbound firewall logs and NetFlow data to check for traffic moving to untrusted, outbound internet destinations.

Editors' picks

Company Announcements

View all | Post a press release
DeVry University Earns Top 12 National Ranking in Spring 2026 National Cyber League Competition
From DeVry University
May 28, 2026
DeVry University logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell