Oracle PeopleSoft Flaw: Protecting Your Institution from Breaches

The flaw, tracked as CVE-2026-35273 and carrying a CVSS score of 9.8, is an unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools' Environment Management Hub component. It affects versions 8.61 and 8.62, requires no login or user interaction, and gives attackers full server takeover through network access over HTTP.

Google's Threat Intelligence Group, which tracks ShinyHunters as UNC6240, said it notified more than 100 global organizations of potential exposure. Sixty-eight percent of identified targets were in the higher education sector, with most based in the United States. The hackers claimed to have stolen student records including home addresses, phone numbers, emails, and dates of birth, according to TechCrunch, which reported that a ShinyHunters member confirmed the campaign.

The attack unfolded entirely before Oracle acknowledged the issue. Oracle published its out-of-band security advisory on June 10, meaning every compromised organization was hit while no patch existed.

On June 12, CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate the flaw. Oracle's guidance calls on organizations to disable the Environment Management Hub service entirely or block external access to the /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints at the network perimeter.

Mandiant warned that relying solely on web application firewall rules is insufficient, as these controls can be bypassed. Organizations were urged to hunt for indicators of compromise including unexpected JSP files, outbound SMB traffic on port 445, and recently modified XML files that could enable persistence across restarts.

The PeopleSoft campaign marks ShinyHunters' second major strike against the education sector in recent weeks. The group previously breached Instructure's Canvas learning management system in May, disrupting final exams at colleges nationwide. Security firm Pathlock noted that attackers left calling cards in the form of files named "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" on compromised servers, and that ShinyHunters continues to extort affected institutions by threatening to publish stolen data.