A Zero-Day That Ran for Two Weeks in the Open
There is a particular kind of breach that should frighten enterprise security leaders more than a noisy ransomware detonation: the quiet one that runs for two weeks before the vendor even admits the door is open. That is the story of CVE-2026-35273, the Oracle PeopleSoft flaw that the extortion crew ShinyHunters rode through more than 100 organizations this June. By the time Oracle published its out-of-band advisory on June 10, the attackers had already been inside victim environments since at least May 27, exfiltrating data and staging extortion.
The flaw itself is the kind that makes a CISO wince. It is an unauthenticated remote code execution bug in PeopleSoft Enterprise PeopleTools, rated 9.8 out of 10, sitting in the Updates Environment Management component behind the Environment Management Hub, or PSEMHUB. No login, no user interaction, just network access over HTTP to a server that, in too many deployments, was reachable from the internet. For an ERP platform that holds payroll, student records, and HR data, that is close to a worst case.
Education Took the Brunt of the Damage
What stands out about this campaign is the targeting. Google's Mandiant and the Google Threat Intelligence Group notified over 100 organizations whose internet-facing endpoints matched the vulnerable PSEMHUB and HttpListeningConnector paths. Sixty-eight percent of them were in higher education, and most were in the United States. ShinyHunters was confirmed to have touched more than 300 PeopleSoft instances across those organizations, a footprint that suggests automated, opportunistic scanning rather than careful target selection.
The University of Nottingham was among the first confirmed victims, and the data set tells you why this matters beyond compliance paperwork. Roughly 455,000 unique records were exposed, including names, addresses, phone numbers, passport numbers, and sensitive fields covering ethnicity and disability status. For an institution, that is not just a breach notification exercise. It is a generational dataset of students and alumni handed to an extortion crew with a public leak site.
The Tradecraft Was Polished and Sloppy at Once
The attack chain shows a group that knows enterprise environments. After exploiting the PSEMHUB endpoint, the operators deployed MeshCentral, a legitimate remote management tool, with agents named to masquerade as Azure operations binaries and a command server at azurenetfiles.net pretending to be Azure NetApp Files. They moved laterally with SSH credential spraying scripts custom-built per victim, audited WebLogic and Process Scheduler configurations, and compressed stolen data with zstd before shipping it to a mirror.
And yet the operation was undone in part by its own sloppiness. The attackers left staging directories wide open across five sequential IP addresses, 142.11.200.186 through 190, complete with their agents and fan-out scripts. Security researcher @nahamike01 surfaced those open directories publicly, which is part of how the scale of the campaign came to light. The lesson is not that the attackers were amateurs. It is that even disciplined crews leave traces, and defenders who monitor internet-facing assets can catch them.
Why ERP Is the New Soft Underbelly
James Davison, chief strategy officer at Pathlock, framed the breach as a preview of what every ERP will face. "The Oracle PeopleSoft breach is an example of the new kind of attacks every ERP will face in today's new agentic world," he said, adding that "modern ERP security requires a layered approach that combines preventive controls, continuous monitoring, and visibility into user activity." We think that framing is correct, if anything understated.
ERP platforms have historically been treated as deep-internal systems, patched on slow quarterly cycles and shielded by the assumption that nobody can reach them. That assumption is dead. PeopleSoft components were internet-exposed at scale, and an unauthenticated RCE turned that exposure into a mass-compromise event in days. The enterprises that fared worst were not the ones with weak passwords. They were the ones who never asked whether their PSEMHUB endpoint should answer the open internet at all.
The Patch Gap Is the Real Story
The uncomfortable center of this incident is the patch gap. The vulnerability was exploited as a zero-day from May 27, and Oracle's advisory did not land until June 10. For nearly two weeks, defenders had no CVE, no patch, and no public warning, while a financially motivated crew worked through a target list. Detection, not patching, was the only defense available during that window, and most victims did not have it.
That reframes the action items. Patching PeopleTools 8.61 and 8.62 is now mandatory, but it is the floor, not the ceiling. The organizations that will survive the next PeopleSoft zero-day are the ones removing management interfaces from the public internet, watching for anomalous RMM installs like MeshCentral, and treating their ERP estate as a high-value attack surface rather than a quiet back office. ShinyHunters has shown the playbook. The only question is who copies it next.
