Executive Summary
In June 2026, the ShinyHunters cybercriminal group launched a series of data theft attacks targeting Oracle PeopleSoft servers across more than 100 organizations, predominantly within the education sector. By exploiting a combination of known and zero-day vulnerabilities, they successfully exfiltrated sensitive data from approximately 300 instances. The University of Nottingham was among the affected institutions, with its data subsequently published on ShinyHunters' data leak site. These incidents underscore the critical need for organizations to promptly apply security patches and conduct thorough system configurations to mitigate potential vulnerabilities.
This attack highlights a concerning trend of cybercriminals increasingly targeting enterprise resource planning (ERP) systems, which are integral to organizational operations. The exploitation of both known and unknown vulnerabilities in such systems emphasizes the importance of proactive cybersecurity measures, including regular system audits, timely patch management, and comprehensive incident response planning to safeguard sensitive data and maintain operational integrity.
Why This Matters Now
The ShinyHunters' exploitation of Oracle PeopleSoft servers underscores the urgent need for organizations to secure their ERP systems against both known and emerging threats. As cybercriminals increasingly target these critical systems, immediate action is required to prevent data breaches and protect sensitive information.
Attack Path Analysis
ShinyHunters exploited vulnerabilities in Oracle PeopleSoft servers to gain initial access, escalated privileges to administrative accounts, moved laterally across systems, established command and control channels, exfiltrated sensitive data, and impacted organizations through data theft and extortion.
Kill Chain Progression
Initial Compromise
Description
ShinyHunters exploited a combination of old and zero-day vulnerabilities in Oracle PeopleSoft servers to gain unauthorized access.
Related CVEs
CVE-2026-34280
CVSS 6.5A privilege escalation vulnerability in Oracle PeopleSoft Enterprise HCM Human Resources allows high-privileged attackers to modify critical data.
Affected Products:
Oracle PeopleSoft Enterprise HCM Human Resources – 9.2
Exploit Status:
no public exploitCVE-2026-34307
CVSS 5.4An authentication bypass vulnerability in Oracle PeopleSoft Enterprise PeopleTools Workflow component allows unauthorized data access and modification.
Affected Products:
Oracle PeopleSoft Enterprise PeopleTools – 8.61, 8.62
Exploit Status:
no public exploitCVE-2026-22019
CVSS 5.4An authentication bypass vulnerability in Oracle PeopleSoft Enterprise HCM Shared Components allows unauthorized data access and modification.
Affected Products:
Oracle PeopleSoft Enterprise HCM Shared Components – 9.2
Exploit Status:
no public exploitCVE-2026-34269
CVSS 6.1An authentication bypass vulnerability in Oracle PeopleSoft Enterprise PeopleTools Portal component allows unauthorized data access.
Affected Products:
Oracle PeopleSoft Enterprise PeopleTools – 8.61, 8.62
Exploit Status:
no public exploitCVE-2026-34266
CVSS 6.5A privilege escalation vulnerability in Oracle PeopleSoft Enterprise HCM Absence Management allows high-privileged attackers to access and modify critical data.
Affected Products:
Oracle PeopleSoft Enterprise HCM Absence Management – 9.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Spearphishing via Service
Email Collection
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Higher Education/Acadamia
Oracle PeopleSoft systems managing student administration and HR data face critical exposure to ShinyHunters' zero-day exploits targeting educational institutions primarily.
Financial Services
PeopleSoft finance and payroll systems vulnerable to data theft attacks requiring enhanced egress security and zero trust segmentation for regulatory compliance.
Government Administration
Enterprise resource planning systems handling sensitive government data at risk from gadget chain exploits, necessitating improved threat detection capabilities.
Health Care / Life Sciences
Healthcare organizations using PeopleSoft for HR and finance operations face HIPAA compliance violations through unencrypted data exfiltration by threat actors.
Sources
- Oracle PeopleSoft servers hacked in ShinyHunters data theft attackshttps://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/Verified
- Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizationshttps://techcrunch.com/2026/06/10/cybercriminals-claim-breach-of-oracle-peoplesoft-servers-at-100-plus-organizations/Verified
- Oracle PeopleSoft servers targeted in data theft attacks linked to ShinyHuntershttps://cryptobriefing.com/shinyhunters-oracle-peoplesoft-bitcoin-ransom/Verified
- Oracle Critical Patch Update Advisory - April 2026https://www.oracle.com/security-alerts/cpuapr2026.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, and exfiltrate data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in Oracle PeopleSoft servers would likely have been constrained, reducing the likelihood of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by targeting administrative accounts would likely have been constrained, reducing the scope of their access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally across interconnected PeopleSoft systems would likely have been constrained, reducing their reachability to additional resources.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely have been constrained, reducing their ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data to external servers would likely have been constrained, reducing the risk of data loss.
The attacker's ability to leverage stolen data for extortion would likely have been constrained, reducing the potential impact on affected organizations.
Impact at a Glance
Affected Business Functions
- Human Resources Management
- Payroll Processing
- Student Administration
- Financial Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
Personal identifiable information (PII) of students and employees, including names, addresses, phone numbers, emails, and dates of birth.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate the risk of exploitation through known vulnerabilities.
