A sophisticated cyberattack is targeting universities and higher education institutions, with the notorious ShinyHunters group exploiting a newly discovered zero-day vulnerability in Oracle PeopleSoft. Security researchers have confirmed that this critical flaw (CVE-2026-35273) allows for unauthenticated remote code execution, making it particularly dangerous. Exploitation activity has been observed between May 27 and June 9 by both Mandiant and Google Threat Intelligence Group (GTIG), with Google notifying over 100 organizations on June 9.
The vulnerability resides within the Environment Management Hub (EMHub) of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, enabling attackers to execute code remotely without authentication. ShinyHunters has been leveraging this zero-day in conjunction with older vulnerabilities and credential spraying techniques to gain access to PeopleSoft systems. The group is also deploying ransom notes on compromised servers, escalating the situation into an extortion scheme.
The impact of these attacks has already been widely felt. More than 100 organizations have reportedly been affected, with over 68% being universities and higher education institutions. The University of Nottingham in the UK is among the confirmed victims; data was stolen from its systems and subsequently published on ShinyHunters’ data leak site, highlighting the severity of the situation and the potential for sensitive student and institutional information to be exposed.
Google has officially acknowledged the exploitation of this PeopleSoft vulnerability, confirming that it’s being actively leveraged by ShinyHunters as a zero-day to steal data. Attackers are using scripts to identify vulnerable PeopleSoft systems, attempting to gain administrative access through credential spraying and then deploying ransom notes once they have successfully compromised servers.
Organizations running Oracle PeopleSoft Enterprise PeopleTools versions 8.61 or 8.62 are strongly urged to immediately apply the available security updates and review their system configurations for any signs of compromise. The combination of zero-day exploits, older vulnerabilities, and credential spraying demonstrates a highly targeted and sophisticated attack campaign that requires immediate attention from IT security teams within higher education and other sectors utilizing PeopleSoft.
Sources: