A remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools spent roughly two weeks under active attack before Oracle had a fix to offer. By the time the advisory landed on June 10, the extortion group Mandiant tracks as UNC6240 — better known as ShinyHunters — had already worked through a list of exposed targets, with higher education taking the brunt of the damage.
A 9.8 with no login required
Tracked as CVE-2026-35273 and rated 9.8 on the CVSS scale, the vulnerability needs neither authentication nor user interaction — only network access to a vulnerable endpoint. That combination is what turns a patch-management problem into an emergency. The bug affects PeopleTools versions 8.61 and 8.62, and the specific exposure that attackers leaned on was the Environment Management Hub, a component that organizations sometimes leave reachable from the internet without realizing the blast radius.
Mandiant CTO Charles Carmakal confirmed the flaw was being exploited in the wild, and the firm pinned the campaign window to between May 27 and June 9 — comfortably ahead of Oracle’s public advisory. An independent researcher posting as @nahamike01 had separately flagged exposed staging files, an early signal that internet-facing PeopleSoft deployments were leaking more than their owners intended.
Universities were the soft target
According to Mandiant’s telemetry, 68% of the identified victims were higher education institutions, concentrated in the United States. The firm says it notified more than 100 vulnerable organizations as it mapped the campaign. Universities make natural targets here: large PeopleSoft footprints for student and HR records, decentralized IT, and registration systems that often must stay externally accessible.
The clearest illustration of the stakes came from the University of Nottingham, where the breach exposed roughly 455,000 unique email addresses. The stolen records reportedly went well beyond contact details to include names, postal addresses, phone numbers, passport numbers, and ethnicity data — the kind of identity-grade information that fuels long-tail fraud rather than a one-time inconvenience.
What this means
For practitioners, the lesson is less about PeopleSoft specifically and more about the standing exposure of enterprise back-office platforms. A pre-auth RCE in an internet-reachable management component is the highest-severity shape a vulnerability can take, and ShinyHunters’ speed — a fully developed campaign before the vendor advisory — shows there is rarely a comfortable gap between disclosure and exploitation anymore.
Three actions are worth prioritizing now: confirm whether any PeopleSoft Environment Management Hub endpoint is reachable from the public internet and put it behind a VPN or access control if so; apply Oracle’s fix for 8.61 and 8.62 on an emergency timeline; and hunt retroactively for exploitation across the May 27–June 9 window rather than assuming patching closes the incident. When a flaw is weaponized before it has a CVE-numbered patch, “we updated” and “we were not already breached” are two very different statements.
