The Point: CVE-2026-35273 in Oracle PeopleSoft was leveraged to extort over 100 organisations; Google identified 68% of targets in the higher education sector with stolen data exceeding 40 GB.
A critical remote code execution vulnerability (CVE-2026-35273) in Oracle’s PeopleSoft component was exploited by ShinyHunters between May and June 2026 to extort predominantly higher education institutions. Google Cloud alerted over 100 organisations to exposure; 68% of affected targets were from the higher education sector.
The critical security flaw CVE-2026-35273 in Oracle PeopleSoft’s Environment Management component (CVSS 9.8) enables unauthenticated remote code execution on internet-facing systems. Oracle issued the warning on 10 June 2026, after Google Cloud had observed active exploitation between 27 May and 9 June. The vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62; mitigations are available only for supported versions.
Attackers exploited the vulnerability for initial access and subsequently used a modified version of the open-source platform MeshCentral, disguised as Microsoft Azure Services, to establish persistence. Communication was directed to a command-and-control server at wss://azurenetfiles.net:443/agent.ashx. ShinyHunters (or groups operating under that name) published data on their own data-leak site on 9 June, including over 40 GB of billing and payment records, credit card data, and campus portal exports. A follow-up message on 11 June threatened a deadline for ransom payments.
Google Cloud alerted more than 100 organisations whose internet-facing systems were exposed. While some organisations successfully blocked the activity or patched the vulnerability, others suffered compromises resulting in data breaches. Operational errors by the attackers — exposed directories containing staging materials, MeshCentral agents, and penetration testing scripts — aided security researchers in mapping the campaign.
For CISOs, the incident underscores the need to reassess ERP systems such as PeopleSoft, particularly with respect to automated attack campaigns. Patches for CVE-2026-35273 should be deployed with high priority; upgrades are recommended for older, unsupported versions. The widespread exposure of higher education institutions points to inadequate network segmentation and patching cycles.
Source: www.csoonline.com · Published 12 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.