🇨🇳Stalecollected in 3h

Oracle PeopleSoft Vulnerability Exploited by ShinyHunters

Oracle PeopleSoft Vulnerability Exploited by ShinyHunters
PostLinkedIn
🇨🇳Read original on cnBeta (Full RSS)

💡Critical enterprise software breach; essential for security-conscious AI engineers managing sensitive data infrastructur

⚡ 30-Second TL;DR

What Changed

Critical security vulnerability identified in Oracle PeopleSoft software.

Why It Matters

Large-scale breaches of HR and payroll systems pose significant data privacy risks and may trigger stricter enterprise security compliance requirements.

What To Do Next

If your organization uses PeopleSoft, immediately audit server logs for unauthorized access and apply the latest security patches from Oracle.

Who should care:Enterprise & Security Teams

Key Points

  • Critical security vulnerability identified in Oracle PeopleSoft software.
  • ShinyHunters group claims to have breached over 100 organizations.
  • The vulnerability affects systems managing payroll and human resources.

🧠 Deep Insight

Web-grounded analysis with 15 cited sources.

🔑 Enhanced Key Takeaways

  • The vulnerability, identified as CVE-2026-35273, is a critical remote code execution (RCE) flaw in PeopleSoft Enterprise PeopleTools, rated 9.8 out of 10 on the CVSS scale, and affects versions 8.61 and 8.62.
  • ShinyHunters exploited this vulnerability as a zero-day between May 27 and June 9, 2026, before Oracle issued its security advisory on June 10, 2026.
  • The attacks specifically targeted the Environment Management Hub (PSEMHUB) component within PeopleSoft's Updates Environment Management, requiring no authentication or user interaction for exploitation.
  • The campaign predominantly impacted the higher education sector, with 68% of the over 100 compromised organizations being universities, primarily in the United States.
  • ShinyHunters utilized a 'gadget chain' combining older vulnerabilities with the zero-day, and post-compromise tactics included deploying custom MeshCentral remote-management agents and a lateral-movement script that sprayed hardcoded credentials via SSH.
📊 Competitor Analysis▸ Show
Feature/CategoryOracle PeopleSoftWorkday HCMSAP SuccessFactors HCMDayforce
Primary FocusComprehensive ERP (HR, Finance, SCM, Campus Solutions)Cloud-based HCM & Financial ManagementHuman Experience Management (HXM)HCM (Payroll, Time & Attendance, Talent)
DeploymentOn-premises or Private Cloud (Cloud-hosted options available)Cloud-basedCloud-basedCloud-based
Key Capabilities (HCM)Employee lifecycle, organizational management, HR ticketing, payroll processing, talent management, benefits, tax managementTime & absence, compensation, learning, workforce planning, core HREmployee lifecycle, organizational management, HR ticketing, payroll processingPayroll processing, time & attendance, talent management, benefits, tax management
Market Share (HCM)Significant, but specific share not provided in results23.06%10.73% (as SAP HCM)Highly rated, but specific share not provided in results
User Feedback (G2/Gartner)Users compare alternatives based on reliability and ease of useComprehensive, ease of use, intuitive interfaceHelpful and comprehensive featuresHighly rated for helpful and comprehensive features

🛠️ Technical Deep Dive

  • Architecture: Oracle PeopleSoft operates on a three-tier architecture known as the PeopleSoft Pure Internet Architecture (PIA), comprising a web tier (browser clients, web server running PeopleSoft web applications, typically on Oracle WebLogic or IBM WebSphere), an application server tier (PeopleSoft business logic on Oracle Tuxedo), and a database tier (relational database like Oracle Database or SQL Server).
  • Vulnerability (CVE-2026-35273): This is a critical remote code execution (RCE) vulnerability in PeopleSoft Enterprise PeopleTools, affecting versions 8.61 and 8.62.
  • Exploitation Vector: The flaw resides in the Updates Environment Management component, specifically targeting the Environment Management Hub (PSEMHUB), and is remotely exploitable over HTTP without authentication or user interaction.
  • CVSS Score: The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, indicating high severity and low exploitation complexity.
  • Attacker Tools & Methods: ShinyHunters deployed customized MeshCentral remote-management agents, disguised as Microsoft Azure binaries, and a lateral-movement script ([victim]_fanout.sh). This script spreads over SSH by spraying hardcoded usernames and passwords against internal hosts.
  • Data Exfiltration: The attackers used zstd for data compression and established outbound SSH connections to their leak site for exfiltration.

🔮 Future ImplicationsAI analysis grounded in cited sources

Organizations will face increased pressure to secure their ERP systems, particularly external-facing PeopleSoft components.
The zero-day exploitation of a critical vulnerability in a widely used ERP system like PeopleSoft highlights the severe risks associated with unpatched or exposed enterprise software, prompting more rigorous security measures.
There will be a heightened focus on timely application of Oracle's Critical Patch Updates and security alerts.
The fact that this was a zero-day exploit, with Oracle issuing an out-of-band advisory and mitigations after active exploitation, underscores the necessity for organizations to apply patches and mitigations immediately upon release.
The education sector, a primary target in this campaign, will likely implement stricter data protection policies and incident response plans.
The breach of sensitive student and administrative data from universities, such as the University of Nottingham, will force educational institutions to re-evaluate and strengthen their cybersecurity posture to avoid regulatory fines and reputational damage.

Timeline

2019
ShinyHunters hacking group believed to have formed.
2020-05
ShinyHunters publicly emerges, offering millions of stolen user records on dark web forums.
2022-05
Sébastien Raoult, a French programmer linked to ShinyHunters, arrested in Morocco.
2024-01
Sébastien Raoult sentenced to three years in prison and ordered to return five million dollars.
2025-05
ShinyHunters begins a campaign targeting Salesforce environments using vishing and device code phishing.
2026-05-27
ShinyHunters begins exploiting CVE-2026-35273 in Oracle PeopleSoft as a zero-day vulnerability.
2026-06-09
Victims of the PeopleSoft exploitation campaign begin receiving extortion messages from ShinyHunters.
2026-06-10
Oracle issues an out-of-band security alert advisory for CVE-2026-35273 in PeopleSoft Enterprise PeopleTools.
2026-06-11
University of Nottingham confirms a data breach linked to the ShinyHunters PeopleSoft exploitation, affecting approximately 455,000 individuals.

📎 Sources (15)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

  1. thehackernews.com
  2. reddit.com
  3. oracle.com
  4. google.com
  5. reddit.com
  6. wikipedia.org
  7. fieldeffect.com
  8. rublon.com
  9. securityweek.com
  10. selecthub.com
  11. g2.com
  12. 6sense.com
  13. oracle.com
  14. oracle.com
  15. hkrtrainings.com
📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Related Updates

AI-curated news aggregator. All content rights belong to original publishers.
Original source: cnBeta (Full RSS)