Virtual Round Table · Jul 22

Save your seat
ShinyHunters Turned an Oracle PeopleSoft Zero-Day Into a 100-Organisation Breach, and Universities Paid the Price
Cybersecurity

ShinyHunters Turned an Oracle PeopleSoft Zero-Day Into a 100-Organisation Breach, and Universities Paid the Price

A perfect-storm flaw in PeopleSoft let attackers run code without logging in, and they used the two-week head start before Oracle's patch to hit more than 100 organisations, most of them universities.

PublishedJuly 10, 2026
Read time6 min read
Share

A Flaw That Needed No Password

Some vulnerabilities are dangerous because they are subtle. CVE-2026-35273 is dangerous because it is not. The flaw in Oracle PeopleSoft Enterprise PeopleTools carries a severity rating of 9.8 out of 10, and the reason is written into its mechanics: it permits remote code execution over ordinary HTTP with no authentication and no user interaction. An attacker needs only network access to a vulnerable endpoint to run their own code on the server. There is no phishing lure to click, no credential to steal, no privilege to escalate. The door is simply open to anyone who can reach it, and PeopleSoft servers are reachable across a great many enterprise and university networks.

Mandiant describes the underlying weakness as a server-side request forgery that serves as the mechanism through which code execution is achieved, a chain that turns a request-handling defect into full compromise. Vulnerabilities of this class are the ones defenders fear most, because they collapse the usual multi-step intrusion into a single move. When exploitation requires nothing but connectivity, the population of potential victims is defined entirely by exposure, and PeopleSoft's role as a system of record for payroll, student data and human resources means the exposed instances hold exactly the data an extortion crew wants most.

Two Weeks of Head Start

The most damaging detail is chronological. According to Mandiant, active exploitation of the flaw ran from May 27 to June 9, while Oracle's security advisory did not appear until June 10. That is a window of roughly two weeks in which the vulnerability was being weaponised in the wild with no patch, no advisory and no public awareness that anything was wrong. For the entire attack window, PeopleTools versions 8.61 and 8.62 were exposed with no fix available. Oracle did release an out-of-band patch the same day as its advisory, an acknowledgement of urgency, but by then the head start had already been spent.

That two-week gap is the anatomy of a zero-day campaign. The attackers were not racing a patch; there was no patch to race. They were operating in the silence before disclosure, which is precisely when a capable actor extracts the most value. By the time defenders had a CVE number to track and a patch to deploy, the compromise had already spread across a hundred networks. The episode underscores why exposure management now matters as much as patch management. You cannot patch a flaw you have not heard of, but you can limit how much an internet-reachable enterprise platform is allowed to touch when it is inevitably targeted.

Universities in the Crosshairs

The victim profile is unusually concentrated. Mandiant notified more than 100 organisations whose IP addresses matched vulnerable endpoints, and 68 percent of them were in higher education, most located in the United States. ShinyHunters, the extortion crew behind the campaign, claims to have compromised roughly 300 instances across those 100-plus organisations. Universities are a natural target for this kind of platform-level attack. They run large, complex PeopleSoft deployments for student records, financial aid and payroll, they often operate on constrained security budgets, and they hold exactly the mix of personal and financial data that makes extortion profitable.

The disproportionate impact on education is not a coincidence of exposure alone. Higher-education IT environments are notoriously decentralised, with departments running their own instances and patch cycles stretched by governance and budget. A flaw that requires only network reachability finds fertile ground in institutions where a single central security team may not even have a complete inventory of every PeopleSoft server on campus. For enterprises in every sector, the education cluster is a warning about what happens when a high-value platform meets an environment that cannot patch or monitor it uniformly.

Living Off the Land, Disguised as Azure

The post-exploitation tradecraft is as telling as the entry point. Mandiant observed the attackers deploying MeshCentral, an open-source, self-hosted remote monitoring and management platform, configured to masquerade as Microsoft Azure services. The remote agents carried names such as meshagent64-azure-ops.exe, and command-and-control traffic was directed to a domain crafted to look like legitimate Azure file infrastructure. This is deliberate camouflage. By dressing malicious remote-access tooling in the costume of a trusted cloud service, the attackers bought themselves time inside networks whose defenders scan for obvious malware but wave through anything that looks like Azure.

Once inside, the actors performed internal reconnaissance of PeopleSoft configurations, deployed lateral movement scripts, and exfiltrated data using zstd compression to move it out efficiently. Every step of that chain uses legitimate or open-source tooling rather than bespoke malware, the living-off-the-land approach that has become standard for sophisticated crews because it blends into normal administrative activity. For defenders, the implication is that signature-based detection is nearly useless here. What catches this behaviour is anomaly detection: a PeopleSoft server should not be spawning remote-management agents or compressing and shipping large volumes of data to an unfamiliar domain, no matter how Azure-like its name.

What Defenders Should Do Now

The immediate action is unambiguous: any organisation running PeopleTools 8.61 or 8.62 should confirm it has applied Oracle's out-of-band patch and then hunt for signs of compromise, because patching a system that was already breached only closes the door on an intruder who may still be inside. The indicators are specific and public: MeshCentral agents named to impersonate Azure, command-and-control traffic to lookalike domains, and evidence of zstd-compressed exfiltration. Given a two-week exploitation window before disclosure, the assumption for any exposed instance should be compromise until proven otherwise, not the reverse.

The strategic lesson reaches beyond PeopleSoft. Enterprise resource platforms have quietly become some of the highest-value targets in any organisation, because a single compromise exposes the payroll, personnel and financial records of the entire institution at once. Yet these systems are often treated as stable back-office furniture rather than as the crown jewels they are. The ShinyHunters campaign is a prompt to reclassify them: to put internet-facing ERP behind stricter access controls, to monitor them as sensitive assets rather than mundane infrastructure, and to accept that the next zero-day in a platform this central will not wait for a patch either.

Tagged#news#security#cybersecurity#zero-day#ransomware