Oracle Issues Security Warning After ShinyHunters Exploits Critical Zero-Day Flaw in PeopleSoft Software To Breach 100+ Organisations
Oracle has confirmed a critical zero-day vulnerability (CVE-2026-35273) in PeopleSoft software, currently being exploited by the ShinyHunters hacking group. The campaign has breached over 100 organisations, mostly universities, exposing sensitive student and staff data. Oracle has advised immediate network isolation and endpoint monitoring, as an official software patch remains under development by the company.
Ahmedabad, June 12: Oracle has issued an urgent security advisory following the discovery of a critical zero-day vulnerability in its PeopleSoft enterprise software. The flaw, tracked as CVE-2026-35273, has been actively exploited by the cybercrime group ShinyHunters in a mass-hacking campaign that has compromised over 100 global organisations, primarily within the higher education sector.
The vulnerability resides in the PeopleSoft Environment Management component and allows for unauthenticated remote code execution. With a CVSS score of 9.8, the bug enables attackers to take full control of a server via the internet without requiring any login credentials or user interaction. Google’s Mandiant security unit, which tracks the responsible threat actor as UNC6240, confirmed that the exploitation occurred between May 27 and June 9, prior to Oracle’s formal advisory on June 10. Oracle Layoffs: Fresh Allegations Suggest Hybrid Workers Were Reclassified Before Job Cuts; Final Phase of Restructuring Affects Thousands.
Hacking Impact on Higher Education and Enterprise Data
The hacking campaign has targeted organisations that manage sensitive human resources, payroll, and student administration data. ShinyHunters has reportedly stolen vast amounts of personal information, including names, home addresses, phone numbers, email addresses, dates of birth, and, in some instances, passport numbers and academic records.
Mandiant has notified more than 100 organisations of the potential exposure. While some entities successfully blocked the attempts, others were compromised, resulting in stolen data being published on the group's public leak site. The University of Nottingham is among the confirmed victims, with reports indicating that hundreds of thousands of student and alumni records were impacted globally.
Mitigation and Security Recommendations
Oracle has not yet released a comprehensive patch for the vulnerability. In the interim, the company and security researchers strongly advise administrators to lock down or isolate the affected Environment Management Hub (PSEMHUB) endpoints. Organisations are urged to:
-
Disable or remove: Disable the Environment Management Hub service or remove the PSEMHUB application entirely if not in use.
-
Restrict access: Block external access to
/PSEMHUB/*and/PSIGW/HttpListeningConnectorat the network perimeter. -
Monitor logs: Audit WebLogic access logs for suspicious POST requests to the affected paths and monitor outbound network telemetry for unauthorised SMB traffic. Oracle Layoffs: 30,000 Employees to Exit Globally by June 15 in Company's Largest-Ever Job Cut.
Cybersecurity analysts note that ShinyHunters utilised custom staging infrastructure, including MeshCentral remote-management agents and lateral movement scripts, to conduct the attacks. Security teams are encouraged to hunt for specific indicators of compromise, such as the presence of unusual .jsp files in the web application directory or the creation of marker files left by the attackers.
(The above story first appeared on LatestLY on Jun 12, 2026 07:19 AM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).
