Google Reports Surge in Oracle PeopleSoft Attacks Against Campuses
Cybersecurity researchers at Google’s Mandiant and the Google Threat Intelligence Group (GTIG) have linked the ShinyHunters extortion group to a series of attacks exploiting a critical Oracle PeopleSoft vulnerability before a patch was available.
The campaign, tracked as UNC6240, took place between May 27 and June 9 and leveraged CVE-2026-35273, a remote code execution flaw affecting Oracle PeopleSoft’s Environment Management component. Oracle publicly disclosed the vulnerability on June 10, assigning it a critical CVSS score of 9.8 and warning that attackers could exploit it remotely without authentication.
Figure 1. Oracle PeopleSoft Attacks.
According to Google, the attackers focused on PeopleSoft Environment Management Hub (PSEMHUB) endpoints, compromising organizations across multiple sectors. More than 100 potentially exposed organizations were alerted, with the majority located in the United States and nearly 70% belonging to the higher education sector.
Researchers uncovered publicly accessible attacker infrastructure that provided insight into the operation. The threat actors deployed customized MeshCentral remote-management tools disguised as legitimate Microsoft Azure-related services, using filenames designed to blend into enterprise environments. Figure 1 shows oracle peoplesoft attacks.
Further investigation revealed extensive reconnaissance activities within compromised networks. Attackers examined PeopleSoft configuration files, reviewed WebLogic server settings, mapped internal systems, and identified network resources before collecting and compressing sensitive data for exfiltration.
Mandiant also identified a custom lateral-movement script used to spread extortion notes across affected environments. The tool automated the distribution of ransom messages and attempted to access additional systems using embedded credentials, expanding the attackers’ reach inside victim networks.
Several organizations targeted in the campaign later appeared on the ShinyHunters data-leak site [1]. Among them was the University of Nottingham, which confirmed unauthorized access to data stored within its student records system. The institution reported that a significant volume of information was exposed and has launched a forensic investigation into the incident.
Oracle has stated that the vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The company urges customers to apply available mitigations immediately and restrict access to vulnerable Environment Management services.
Security experts recommend disabling the Environment Management Hub where feasible, limiting external access to PSEMHUB endpoints, reviewing WebLogic logs for suspicious activity, and examining PeopleSoft servers for signs of compromise, including unauthorized files and directories.
Reference:
- https://cyberinsider.com/google-warns-of-oracle-peoplesoft-attacks-hitting-universities/
Cite this article:
Keerthana S (2026), Google Reports Surge in Oracle PeopleSoft Attacks Against Campuses, AnaTechMaz, pp.194

