A new wave of attacks against Oracle PeopleSoft has put universities and large enterprise organizations on alert after Google’s Mandiant and Google Threat Intelligence Group identified an active compromise and extortion campaign attributed to ShinyHunters.
The campaign targeted Oracle PeopleSoft application infrastructure and was observed between May 27 and June 9, 2026. The activity is linked to CVE-2026-35273, a critical remote code execution vulnerability in Oracle PeopleSoft PeopleTools. Oracle issued a security alert on June 10, warning that the vulnerability can be exploited remotely without authentication and may result in remote code execution.
For organizations running PeopleSoft, this is not a routine patch-management issue. It is an active threat campaign involving enterprise resource planning systems that often contain some of the most sensitive data inside an organization: employee records, payroll information, finance records, procurement data, student information, and institutional operating data.
The education sector appears to be one of the hardest hit. Google said it notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints, and 68% of those organizations were in higher education.
That matters because PeopleSoft is not a fringe application. In many universities, public institutions, and large enterprises, it is part of the operational backbone. It may sit behind HR, payroll, finance, procurement, and student administration. If attackers gain access to those systems, they are not just touching one database. They may be entering the administrative nervous system of the institution.
The Attack Shows ERP Is No Longer Too Obscure for Industrialized Cybercrime
For years, ERP systems were treated as difficult, specialized, and somewhat obscure targets. They were complex, customized, and often known only to internal administrators and niche consultants.
That assumption no longer holds.
The PeopleSoft campaign shows that organized cybercrime groups are willing to industrialize attacks against enterprise applications when the payoff is high enough. These are not systems attackers ignore because they are complicated. They are systems attackers study because they contain valuable data and often have long maintenance cycles, exposed administrative endpoints, and complicated ownership between IT, security, finance, HR, and outside vendors.
That is the real lesson for universities and enterprises.
Threat actors do not need every PeopleSoft environment to be vulnerable. They only need enough exposed systems to make automation worthwhile. Once a critical flaw exists, attackers can scan, stage tools, run commands, exfiltrate data, and pressure victims through extortion.
This is how ERP risk becomes breach risk.
The Alleged Scale Is Significant
Public reporting indicates ShinyHunters claimed to have stolen data from roughly 300 PeopleSoft instances across more than 100 organizations. Google confirmed it notified more than 100 organizations with potentially vulnerable endpoints and said the campaign disproportionately affected higher education.
The distinction matters. The full victim count may continue to evolve, and not every exposed or notified organization is necessarily confirmed as breached. But the direction is clear: this was not a single targeted intrusion. It was a broad campaign against a widely deployed enterprise platform.
That should make boards, CISOs, privacy officers, general counsel, and university leadership pay attention.
Higher education is an attractive target because universities combine open networks, decentralized technology environments, legacy systems, sensitive personal data, research activity, international users, and complicated vendor ecosystems. A single university may hold student records, employee records, donor records, financial aid information, health-related records, payroll data, research data, and authentication infrastructure.
That creates a massive extortion surface.
Why PeopleSoft Data Is So Sensitive
The privacy implications of a PeopleSoft breach can be serious.
Depending on the module and configuration, PeopleSoft environments may contain names, addresses, Social Security numbers, student IDs, employee IDs, payroll data, tax information, bank account information, benefit elections, HR records, procurement records, vendor data, financial records, and student administration data.
For higher education, the risk may extend beyond ordinary employee or customer data. Student information can trigger additional legal and regulatory obligations. Universities may also have to evaluate whether compromised records involve financial aid data, health-related information, disciplinary records, international student information, or other regulated categories.
This is why the incident should not be viewed only through the lens of technical exploitation. It is also a data governance problem.
Organizations need to know what data PeopleSoft contains, who has access to it, which modules are exposed, how logs are retained, what vendors support the environment, and how quickly legal and privacy teams can determine notification obligations if data was accessed or exfiltrated.
In an extortion campaign, the clock does not start when leadership finishes its internal review. The clock starts when the organization has reason to believe sensitive data may have been compromised.
Immediate Action for PeopleSoft Customers
Organizations using Oracle PeopleSoft should treat this as urgent.
Security teams should immediately review Oracle’s June 10 security alert for CVE-2026-35273 and implement recommended mitigations. The issue affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, and Oracle has urged immediate action.
PeopleSoft administrators should check logs for suspicious requests to the following endpoints:
/PSEMHUB/hub
/PSIGW/HttpListeningConnector
Teams should also review PIA WebLogic access logs for external or untrusted source IPs and inspect PeopleSoft web-tier filesystems for unexpected .jsp files or unusual directories under PSEMHUB paths.
Organizations should search for the following attacker-controlled or staging infrastructure indicators:
142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24
Security teams should also search for the ransom or defacement marker file:
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
If any of these indicators appear, the organization should move immediately into incident response. That means preserving logs, isolating affected systems where appropriate, engaging forensic support, determining whether data was accessed or exfiltrated, reviewing privileged credentials, and preparing legal, regulatory, and communications workflows.
This is not the kind of event where an organization should patch and move on without investigation. If exploitation occurred before the advisory, patching today does not answer whether data was already stolen.
The Attack Path Highlights a Larger Identity and Lateral Movement Problem
The campaign also points to a broader problem in enterprise security: once attackers gain access to an ERP environment, they may try to move laterally using administrative accounts, service accounts, SSH access, remote management tools, and internal host mappings.
That means the exposure is not limited to the externally facing PeopleSoft endpoint.
Organizations need to ask whether PeopleSoft servers had access to internal systems, file shares, databases, authentication infrastructure, or other administrative environments. They should review credential use, privileged account activity, outbound connections, remote access tools, and any unusual compression or staging activity.
ERP systems are often trusted too much once they are inside the network. They may have broad connectivity because they need to interact with finance, HR, identity, payroll, reporting, and integration systems. That trust can become a liability if attackers compromise the application layer.
The technical lesson is straightforward: critical business applications need segmentation, least privilege, strong administrative access controls, monitored service accounts, and aggressive logging.
The compliance lesson is just as important: organizations need to know where regulated data lives before a breach happens.
Universities Need to Treat This as a Governance Event
For colleges and universities, this incident should trigger more than an emergency technical review. It should trigger a governance review.
Leadership should know whether the institution runs PeopleSoft, which version is in use, whether affected endpoints were internet-accessible, whether mitigations have been applied, whether logs are available for the relevant period, whether any indicators of compromise were found, and whether sensitive student or employee data could have been exposed.
Privacy and legal teams should be brought in early. If PeopleSoft contains student records, employee records, payroll data, financial aid data, or other personal information, the institution may have notification obligations depending on what the investigation finds.
The mistake many organizations make in these incidents is treating ERP compromise as an IT problem until data exfiltration is confirmed. That delay can create legal, regulatory, communications, and reputational problems.
A better approach is to stand up a cross-functional response immediately: security, IT, privacy, legal, compliance, HR, finance, student administration, communications, and executive leadership.
PeopleSoft sits across too many business functions for this to be handled in a silo.
The Broader Warning: Legacy Enterprise Apps Are the New Breach Front Door
This campaign is part of a larger trend. Attackers are increasingly targeting systems that sit at the center of business operations: file transfer tools, identity systems, cloud admin consoles, CRM platforms, ERP systems, help desk platforms, and SaaS integrations.
That is where the data is.
It is also where the trust is.
A compromised marketing pixel creates one kind of privacy problem. A compromised ERP system creates another. It can expose employee data, student data, financial data, supplier data, payment information, and internal operational records in one event.
Organizations should use the PeopleSoft campaign as a forcing function to review all critical enterprise applications, especially systems that are older, heavily customized, externally accessible, or supported by a small group of specialized administrators.
The question is not only whether the organization patched this specific CVE.
The bigger questions are:
Which business-critical applications are exposed to the internet?
Which administrative endpoints are accessible externally?
Which systems contain regulated personal information?
Which vendors have access?
Which logs are retained long enough for investigation?
Which service accounts have excessive privileges?
Which systems would create notification obligations if compromised?
Which systems are being continuously monitored for unauthorized changes?
That is the level of review modern ERP risk now requires.
ShinyHunters PeopleSoft Campaign
The ShinyHunters-linked PeopleSoft campaign should be a wake-up call for universities, public institutions, and large enterprises.
ERP systems are no longer hidden back-office platforms that attackers overlook. They are high-value targets containing sensitive data, privileged access, and operational leverage. When a vulnerability allows unauthenticated remote code execution, the result can quickly become a data theft and extortion crisis.
For any organization running Oracle PeopleSoft, the response should be immediate: review Oracle’s advisory, implement mitigations, check logs, hunt for published indicators of compromise, search for the ransom marker file, and determine whether data was accessed or stolen.
For leadership, the broader lesson is even bigger.
Cybersecurity, privacy, and compliance risk now live inside the operational systems that run the business. If those systems are not inventoried, monitored, segmented, patched, and governed, they are not just IT assets.
They are breach targets.
