Universities make terrible targets for cyber defense but perfect ones for corporate extortion. They operate like small, federalized cities, with student records, financial profiles, healthcare databases, and proprietary research files scattered across sprawling, loosely managed networks. When Oracle’s PeopleSoft suite—the administrative backbone for hundreds of academic institutions—developed a critical vulnerability, it was only a matter of time before someone weaponized it. The vulnerability, tracked as CVE-2026-35273, represents a catastrophic failure in basic access control. It isn't a subtle cryptographic flaw or a complex race condition. It is a missing authentication vulnerability in the Environment Management Hub (EMHub) component of PeopleTools, boasting a CVSS score of 9.8 out of 10. That's about as bad as it gets.
The flaw allows unauthenticated remote code execution (RCE) via simple HTTP requests. An attacker doesn't need valid credentials, a session cookie, or local network access. They just need an exposed EMHub port. Once they reach it, they can take complete control of the affected PeopleSoft system. This affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, the core software suites used to manage everything from student enrollment and grading to employee payroll. TrendAI researchers Lucas Miller, Bobby Gould, and Minh Giang caught the exploit in the wild and reported it to Oracle, ending a brief but highly destructive zero-day run.
For years, database security advocates have warned that complex administration frameworks like EMHub are prime targets because they sit at the intersection of network configuration and host management. Yet, many organizations leave these interfaces publicly accessible. If you run PeopleTools and let EMHub face the public web, you are essentially leaving the bank vault door unlocked but shut. It only takes a passing thief to turn the handle.
Why Oracle left authentication checks out of a critical management hub is a question that highlights a broader corporate complacency. Too often, software vendors assume management interfaces will only be deployed in secure, isolated internal networks. But threat actors know that reality on the ground is messy. Underfunded IT departments regularly map internal services directly to the public web for administrative convenience. This mismatch between vendor design assumptions and actual administrative habits is exactly where zero-days thrive. Let's be clear: leaving an administrative hub open to unauthenticated remote code execution in 2026 is an indefensible legacy practice.
ShinyHunters didn't waste any time. The notorious extortion group launched a highly coordinated campaign beginning May 27, 2026, exploiting the PeopleSoft zero-day relentlessly until a patch was issued on June 10, 2026. During this two-week window, the attackers compromised over 300 PeopleSoft instances across more than a hundred organizations. According to Google Threat Intelligence Group (GTIG) and Mandiant, the scale of the campaign was massive. Over 100 affected organizations had to be actively alerted.
What is particularly alarming is the targeting pattern. A staggering 68% of the compromised systems belonged to higher education institutions in the United States. Why higher ed? It's simple. Universities host massive repositories of personally identifiable information (PII) including Social Security numbers, banking details, and academic transcripts, but they rarely have the security budgets of corporate tech giants or financial institutions. The University of Nottingham in the United Kingdom was one of the confirmed victims, suffering a major data breach containing both current and former student records (see our full breakdown of the Nottingham breach). ShinyHunters boasted about exfiltrating 40 gigabytes of data from Nottingham alone.
This isn't a random smash-and-grab. It's a calculated extractive campaign. Cybercriminals know that universities are under pressure to maintain service continuity, making them prime targets for double-extortion schemes. When student records leak, it creates a regulatory and public relations disaster for the university's leadership. The impact of a breach like this can linger for years, creating compliance nightmares under FERPA in the US or GDPR in Europe.
We shouldn't be surprised that ShinyHunters went after universities so aggressively. In my decade covering data breaches, I've watched academic institutions treat IT security as an afterthought. They want open campuses, easy sharing, and frictionless portals. Security gets in the way of that. But when you balance convenience against a threat group that has previously breached major global platforms, you're playing a losing game. The 40 gigabytes of student records stolen from Nottingham is just the tip of the iceberg. Other campuses are quietly dealing with the fallout, trying to figure out how many social security numbers and financial accounts were exfiltrated before they could even detect the entry.
The attackers’ operational playbook combined clever stealth tactics with surprising operational sloppiness. Once they gained initial remote code execution through the EMHub vulnerability, they deployed MeshCentral. MeshCentral is an open-source remote monitoring and management tool. It is handy for IT administrators, but it is also a powerful command-and-control framework in the hands of threat actors. To fly under the radar of enterprise endpoint detection tools, ShinyHunters renamed and configured these MeshCentral agents to look like legitimate Microsoft Azure services.
With command-and-control established, the group moved laterally through target networks. They ran command-line reconnaissance to understand the environment, then launched custom SSH credential spraying campaigns to access adjacent database servers and administrative hosts. Once they located the data they wanted, they compressed it using the Zstandard (zstd) algorithm. Using zstd allows for incredibly fast compression and a small footprint, minimizing the time data takes to cross the network boundary and lowering the chances of triggering network-based bandwidth alerts.
But then they made a rookie mistake. Despite their technical agility, the attackers stored the stolen data in open, web-facing directories on the compromised systems. Security researchers from Mandiant and Google Threat Intelligence Group were able to access these directories during their incident response engagements. This allowed defenders to reconstruct the group's timeline, see exactly what tools they used, and identify the compromised environments before the stolen data could be weaponized or sold on dark web forums.
This mix of operational genius and sheer stupidity is classic ShinyHunters. Renaming MeshCentral files to look like Azure services bypasses basic security controls, but leaving the looted data in open directories is like leaving the robbery bags on the sidewalk. It is a reminder that threat actors are often rushing. They run automated scripts, dump the databases, and check the contents later. If security teams had been monitoring their web server roots for unusual directory creations, they might have caught the theft while it was happening. Instead, analysts had to piece the breach together after the fact by examining open web indexes.
Oracle patched the flaw on June 10, 2026, and CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) Catalog on June 12. This requires federal civilian agencies to emergency-patch their systems. Corporate and academic IT leads should follow suit immediately. If you host PeopleSoft, you cannot afford to wait for your normal quarterly patching cycle. Web Application Firewalls (WAFs) are a temporary band-aid; they won't stop a determined exploit attempt.
Mandiant and Oracle are urging administrators to disable the EMHub service entirely if it is not required, or at a minimum, restrict its external network access. The good news is that restricting EMHub doesn't break the core PeopleSoft Internet Architecture (PIA) that students and staff use to access their portals via web browsers. It merely restricts the network interfaces used for system configuration and updates. There is no legitimate reason for this service to be exposed to the public internet.
This incident shows that security cannot rely on perimeter defense. When a critical administrative tool becomes an open door, only active monitoring, network segmentation, and prompt patching can limit the damage. If you want to learn more about how security teams are struggling with these speed-of-exploit challenges, you can read our analysis on how AI is breaking traditional security models. Universities must shift from legacy networks to segmented architectures where a single compromised hub doesn't mean giving up the keys to the entire campus.
We also have to talk about policy. When CISA steps in, it forces federal agencies to act, but private and public universities are left to their own devices. They don't have to follow KEV mandates unless they are federal contractors or hold specific grants. This regulatory gap is why higher education remains a soft target—a vulnerability underscored by the recent credential leak at Oxford's career platform exposing third-party entry points. For details on how government directives are shifting toward a more aggressive stance on patching, see our coverage on CISA’s overall strategy modifying federal patch rules. Until institutions are legally or financially penalized for neglecting basic configurations, the ShinyHunters of the world will continue to run wild.