Informa TechTarget | SearchSecurity Cybersecurity Dive InformationWeek Channel Dive Explore our brands Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES APPLICATION SECURITY ENDPOINT SECURITY NEWS ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed A major bug in Oracle's ERP software disproportionately affected American universities, and hackers have capitalized by stealing gobs of data. Nate Nelson,Contributing Writer June 12, 2026 3 Min Read SOURCE: MTCURADO VIA GETTY IMAGES ShinyHunters used a zero-day vulnerability in Oracle's PeopleSoft software suite to steal data from potentially more than 100 organizations. PeopleSoft is an enterprise resource planning (ERP) application suite used for things like payroll, supply chain management, human resources (HR), and student administration. It's primarily oriented to large businesses and organizations, such as government entities and higher education institutions. From May 27 to June 9, 2026, the ShinyHunters extortion gang exploited a zero-day vulnerability in PeopleTools, PeopleSoft's underlying integrated development environment (IDE) and runtime platform, according to new research from Mandiant and the Google Threat Intelligence Group (GTIG). More specifically, the vulnerability is located in the Environment Management Hub (EMHub), a backend service that tracks and manages agents across PeopleSoft environments. The issue allowed for remote code execution (RCE) without any authentication required. It has since been assigned a label, CVE-2026-35273, and a critical 9.8 CVSS score. Related:Claude Fable 5 Doesn't Change the Mythos Security Story With the zero-day, ShinyHunters claims to have compromised more than 300 PeopleSoft instances across more than 100 organizations. In a blog post, researchers from Mandiant and GTIG said they alerted more than 100 organizations with potentially vulnerable endpoints. In an email to Dark Reading, Dustin Childs, head of threat awareness for Trend Micro's Zero Day Initiative, characterizes the exploitation as "limited," though notes that the investigation by TrendAI, Trend Micro's enterprise security division, is still ongoing. ShinyHunters Tags Universities Beginning on May 27, ShinyHunters exploited CVE-2026-35273 across global organizations, according to Mandiant and GTIG. In the process, they accidentally left several directories exposed on the open Internet, allowing researchers to piece together what happened next: The group used MeshCentral, an open source browser-based program for remote management, for command-and-control (C2) operations. They tried concealing their activity by naming their MeshCentral agents after Microsoft Azure services. Next, they used MeshCentral's command line interface (CLI) to perform reconnaissance, a custom SSH credential spraying script to spread further into victims' environments, and the Zstandard compression algorithm to exfiltrate data en masse. The threat actors concluded its campaign on June 9, by leaking its winnings on its website. At that point, researchers from TrendAI identified the vulnerability and alerted Oracle. Oracle patched the flaw and published a security advisory the following day. Related:Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure Of the more than 100 at-risk organizations contacted by Google, most were based in the U.S., and 68% happened to be involved in higher education. The University of Nottingham in the U.K. has confirmed that it was one of the fallen, having lost "a significant amount of data" from its student records system. In a notice online it acknowledged that both current and former students were impacted, but did not indicate what specific kinds of data were stolen. On its dark web leak site, ShinyHunters listed the University of Nottingham as a recent victim, alleging it possessed more than 40 GB of sensitive data. The extortion group listed several other enterprises as recent victims, but those attacks have not been confirmed and it's unclear if they are related to the PeopleSoft zero-day campaign. What Schools Should Do Now ShinyHunters' zero-day campaign marks the group's latest attacks against the education sector. Last September, threat actors tied to the group breached Instructure, an edtech company known for its widely used Canvas learning management platform. ShinyHunters successfully breached the company again and disrupted Canvas this spring; Instructure later announced it had "reach an agreement" with the threat actors, presumably paying ShinyHunters' ransom demand. Related:Bug Bounty Research Triggers ServiceNow Security Alert In the PeopleSoft attacks, Mandiant and GTIG researchers noted that "In several instances we have identified web application firewalls (WAFs) protecting otherwise vulnerable organizations." Still, the researchers doesn't condone WAFs as a catch-all solution, arguing that "These are not durable protections and we recommend following Oracle’s mitigations guidance as soon as possible." Oracle "strongly" recommended that organizations patch the vulnerability. Mandiant and GTIG suggested other mitigations in the blog post, first and foremost that organizations should disable the EMHub service or otherwise block external network access to it. They also noted that restricting the EMHub endpoint doesn't break PeopleSoft since it's "not required for the core user-facing PeopleSoft Internet Architecture (PIA) browser sessions." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST More Webinars AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use Your Privacy Choices