preloader

· security oracle vulnerability cve zero-day enterprise education data-breach

ShinyHunters Exploited Oracle PeopleSoft as a Zero-Day for Two Weeks Before Oracle Issued an Advisory

Source: Help Net Security

Oracle published an out-of-band security advisory for CVE-2026-35273 on 10 June 2026, but by then the vulnerability had already been weaponised for two weeks. Mandiant and Google Threat Intelligence Group confirmed that the threat actor tracked as ShinyHunters, also known as UNC6240, had been actively exploiting the flaw since 27 May 2026, a window in which over 100 organisations were breached before a patch existed. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 12 June, ordering all US federal agencies to patch by a mandatory deadline.

What the vulnerability is

CVE-2026-35273 is a critical flaw in the Updates Environment Management (EMHub) component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. It carries a CVSSv3.1 score of 9.8, the highest tier. The vulnerability is exploitable over HTTP with no authentication required. An attacker who can reach the EMHub interface over the network can send a specially crafted request that triggers remote code execution on the underlying server without any valid credentials.

The exploitation path requires only network access to the affected endpoint. There are no prerequisite steps, no social engineering, and no dependency on user interaction. The attack can be scripted and executed at scale, which is exactly what ShinyHunters did.

Who was targeted and why

According to Mandiant’s disclosure and a separate analysis published by Google Cloud’s Threat Intelligence team, 68 percent of the more than 100 notified organisations were universities and colleges. This concentration is not accidental. Higher education institutions frequently run PeopleSoft as their enterprise resource planning and student information system, and they tend to lag behind corporate organisations in applying security patches to critical infrastructure. Their networks are also large, complex, and heterogeneous, which makes rapid isolation and response more difficult.

ShinyHunters are a financially motivated threat actor with a history of targeting credential stores, personally identifiable information, and data sets that carry value on criminal markets. Student records, financial aid data, research databases, and alumni information all fit that profile.

The two-week zero-day window

The gap between first exploitation (27 May) and public advisory (10 June) represents a period in which defenders had no vendor patch and no vendor-issued indicator to act on. Organisations running PeopleSoft with EMHub exposed to untrusted networks during that window should treat themselves as potentially compromised until they can demonstrate otherwise.

Rapid7’s research note confirmed active exploitation predating Oracle’s advisory by approximately 14 days. This is a recurring pattern with enterprise software vendors who operate quarterly patch cycles. When exploitation begins before the advisory, the vendor’s patch cadence provides no protection.

What to do now

Apply Oracle’s out-of-band patch immediately if you have not already done so. This is not a patch to defer to the next quarterly cycle. An unauthenticated RCE with a 9.8 CVSS score, already under active exploitation, on a system that typically holds sensitive personal, financial, and academic data, is an emergency patching event.

If immediate patching is not possible, the primary compensating control is network segmentation. The EMHub component should not be reachable from untrusted network segments. If your PeopleSoft deployment has EMHub accessible from the public internet or from untrusted internal zones, restrict that access now, before the patch window opens.

Audit your PeopleSoft environment for signs of compromise during the May 27 to June 9 window. Look for unusual outbound connections from PeopleSoft servers, unexpected account creation, changes to administrative configurations, and anomalous access to student, financial, or research data stores.

CISA’s addition to the KEV catalogue means that any US federal agency or federally funded university using PeopleSoft is now under mandatory patch deadline. European institutions are not covered by that mandate, but the risk profile is identical. European universities, which are often significant PeopleSoft deployments, should treat this with the same urgency regardless of the regulatory framing.

If your organisation runs Oracle PeopleSoft and needs help assessing whether your EMHub deployment is exposed, triaging potential compromise indicators, or managing the emergency patching process for a complex enterprise application environment, contact Excello Digital. We help European organisations respond to critical vulnerabilities in enterprise software with the speed that the threat landscape now demands.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!