Skip to content

ShinyHunters Exploited PeopleSoft Zero-Day Across 100+ Orgs

The Hacker News · Story 3 of 6

Google's Mandiant team and Rapid7 confirmed that the threat actor group ShinyHunters (tracked as UNC6240) exploited a critical zero-day vulnerability in Oracle PeopleSoft Enterprise PeopleTools between May 27 and June 9, 2026 — two full weeks before Oracle released an out-of-band security alert on June 10.

The vulnerability, CVE-2026-35273, carries a CVSS score of 9.8 and enables unauthenticated remote code execution via a Server-Side Request Forgery (SSRF) chain in PeopleTools versions 8.61 and 8.62. The attack requires no valid credentials — attackers simply send crafted requests to exposed PeopleSoft endpoints.

ShinyHunters targeted the higher education sector, compromising over 100 organizations across 300 vulnerable instances. The University of Nottingham confirmed a 40 GB data breach. The group's pattern is data exfiltration followed by extortion — not ransomware encryption.

Google's Threat Intelligence Group notified over 100 organizations whose IP addresses correlated with vulnerable endpoints before the patch was available. Any organization running PeopleSoft PeopleTools 8.61, 8.62, or unsupported earlier versions should patch immediately and investigate for indicators of compromise.

This incident highlights a persistent problem: enterprise ERP systems with internet-exposed management interfaces remain low-hanging fruit for determined attackers.

Analysis
Live

If your organization — or your clients in MENA — runs PeopleSoft, this is a fire drill. Universities and government agencies across the region use it heavily. The two-week pre-patch window means data may already be exfiltrated. The broader lesson: any ERP with an internet-facing admin panel needs a WAF, network segmentation, or air gap. No exceptions.

Frequently Asked Questions
What should organizations do if they run Oracle PeopleSoft?

Patch to the fixed version immediately, review access logs for the May 27–June 9 window for SSRF indicators, and perform a data exfiltration assessment. If data was stolen, expect extortion attempts from ShinyHunters.