The data-theft and extortion group ShinyHunters exploited a critical zero-day in Oracle PeopleSoft to compromise organizations at scale, according to research from Google’s Mandiant, which tracks the group as UNC6240.
Oracle issued an emergency fix on June 10, but the attacks had been running since late May.
The flaw, CVE-2026-35273, is a remotely exploitable, unauthenticated remote code execution (RCE) bug carrying a CVSS score of 9.8. It sits in PeopleSoft’s Environment Management component, and Oracle’s advisory lists PeopleTools versions 8.61 and 8.62 as affected.
PeopleSoft is an enterprise resource planning suite that large institutions use to run HR, payroll, finance, and student records, making it a rich target for data theft.
A Zero-Day Used for Weeks Before the Fix
Mandiant observed the activity between May 27 and June 9, meaning the bug was a genuine zero-day throughout the campaign.
After becoming aware of the exploitation, Mandiant said it notified more than 100 organizations whose internet-facing systems appeared exposed. Most were in the United States, and 68% were in the higher-education sector.
The attackers used the access to steal data and then extort victims, publishing stolen files on the ShinyHunters leak site when targets refused to pay.
The group has separately claimed, in reports from outlets including BleepingComputer, to have hit more than 100 organizations across some 300 PeopleSoft instances.
Among the confirmed victims is the University of Nottingham, which has acknowledged a cybersecurity incident last week affecting current and former students.
What Defenders Should Do
Because exploitation predates the patch, applying Oracle’s update alone may not be enough, and organizations should assume exposed systems were probed.
Mandiant’s central recommendation is to disable the Environment Management Hub service where possible, or otherwise block external access to its endpoints at the firewall, since the component is not needed for normal user-facing sessions.
It also advised auditing web server access logs for suspicious external requests to those endpoints and monitoring for unusual outbound traffic that could indicate a compromised host.
John Carberry of Xcape said the campaign marks a shift, with complex ERP applications that were “long protected by operational obscurity” now facing automated, industrial-scale exploitation.
“Organizations must treat this as a high-priority incident response action,” Carberry warned.
“Immediately deploy the prescribed perimeter network mitigations, strictly audit outbound server traffic for rogue command-and-control (C2) protocols like MeshCentral, and force a rotation of core application service credentials stored within local server configuration files.”
