Another major enterprise software flaw is being exploited in the wild, and this one was a zero-day for weeks before a fix arrived. Hackers used an Oracle PeopleSoft zero-day to break into organizations, with universities hit hardest. Here is what happened and what to do.
The attack
The breach campaign was both stealthy and damaging. A notorious extortion group was behind it.
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private, with the campaign hitting universities hardest. Google’s Mandiant attributed the activity to a group it tracks as UNC6240 and dated it between May 27 and June 9. Yahoo FinanceYahoo Finance
The timing made it worse. Oracle did not publish its advisory until June 10, meaning the bug was a zero-day the entire time the attacks were happening. Yahoo Finance
Why the flaw is so dangerous
The vulnerability earned a near-maximum severity score. Its characteristics make it especially easy to exploit.
The flaw, CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10, and it needs no login and no user interaction, just network access over HTTP, to take over the server. That combination, high impact and no authentication required, is exactly what attackers look for. Yahoo Finance
The specific exposure is clear. The vulnerability sits in the Updates Environment Management component behind the Environment Management Hub, so organizations running PeopleSoft with that hub reachable from outside are exposed, and the immediate move is to lock those endpoints down. Yahoo Finance
Part of a broader pattern
This breach did not happen in isolation. Enterprise software and supply chains remain prime targets.
The software supply chain is getting fresh scrutiny too. GitHub announced breaking changes coming to npm version 12, including turning off install scripts by default to combat supply chain threats, describing install-time lifecycle scripts as the single largest code-execution surface in the npm ecosystem. The concern is that a single compromised package anywhere in a project’s dependencies can run malicious code. Yahoo Finance
Other incidents added to the week’s tally. Enterprise software firm ServiceNow disclosed a security incident involving access to customer data, and a breach hit Tchap, the French government’s encrypted messaging platform. U.S. News & World Report
The connection to data protection
These incidents reinforce a now-familiar lesson. Stopping every intrusion is impossible, so protecting the data itself is essential.
When attackers can exploit unpatched zero-days to reach servers directly, the data on those systems becomes the prize. Approaches like strong encryption, tight access controls, and confidential computing, which keeps data protected even during processing, limit how much a successful intruder can actually steal and use.
What organizations should do
The immediate priorities are clear. Act fast on the PeopleSoft flaw.
Apply Oracle’s advisory and patches without delay, and restrict external access to the Environment Management Hub. More broadly, assume attackers will find a way in, and focus on limiting their reach: segment networks, control access tightly, and protect sensitive data at its core. In a year defined by relentless zero-days and extortion campaigns, the organizations that fare best are those that prepare for breaches rather than simply hoping to prevent them.
This article covers ongoing security threats. Organizations should consult official vendor advisories and apply patches promptly.
