Oracle PeopleSoft Hack Hits 100+ Companies in Zero-Day Attack | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


Oracle is dealing with another ugly enterprise security moment.

The company warned customers about a critical bug in its PeopleSoft PeopleTools software after hackers allegedly used it to target more than 100 organisations. Google’s Mandiant and Threat Intelligence Group linked the campaign to ShinyHunters, a cybercrime group known for data theft and extortion.

Oracle PeopleSoft bug turns into a mass-hacking scare

The flaw is tracked as CVE-2026-35273. Oracle says it affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, and it can be exploited remotely without a username or password. If attackers succeed, they may gain remote code execution, which means they can run commands on vulnerable systems.

Oracle PeopleSoft bug turns into a mass-hacking scare

That’s why this one matters. PeopleSoft is not a small consumer app. Big organisations use it to manage sensitive business functions like human resources, finance, payroll, administration, and supply-chain operations. A break-in here can expose the kind of data companies really don’t want criminals holding.

Google says the hacking campaign ran between May 27 and June 9, 2026. Oracle published its security advisory on June 10, which means attackers appear to have used the flaw as a zero-day before customers had formal guidance from Oracle.

Who did the hackers target?

Google says it notified more than 100 organisations whose IP addresses matched potentially vulnerable PeopleSoft endpoints. Most of the affected targets were in the United States, and around 68% were in higher education, according to Reuters.

Who did the hackers target?Who did the hackers target?

That education angle is important. Universities often run large, complex IT systems with student data, staff records, payroll information, donor details, and research documents spread across old and new platforms.

For hackers, that creates a tempting target.

Google attributed the activity to UNC6240, better known as ShinyHunters. The group has a long history of stealing data and using public pressure to force victims into negotiations. Google also said the attackers used disguised MeshCentral agents that looked like legitimate cloud endpoints to run administrative commands.

Why this bug is so dangerous

The scary part is how little attackers may need to start.

Oracle’s advisory says the vulnerability can be exploited over a network without authentication. In plain English, attackers don’t need a valid employee account if the vulnerable service is reachable. That changes the risk level quickly.

Here’s the simple breakdown:

IssueWhy it matters
No login neededAttackers may not need stolen passwords
Remote accessInternet-facing systems carry higher risk
Remote code executionAttackers may run commands on the server
Enterprise softwareHR, payroll, and admin data may sit nearby

Oracle has urged customers to apply its recommended mitigations immediately. SecurityWeek reported that Oracle appears to have released mitigations rather than a full public patch, although the detailed patch document sits behind Oracle’s customer support portal.

What South African businesses should take from this

This story may look US-heavy, but the lesson travels.

South African companies, universities, banks, insurers, retailers, and public-sector bodies often depend on big enterprise platforms for HR and finance. If a system like PeopleSoft sits exposed to the internet, it can become a doorway into sensitive internal data.

The same applies to outsourced IT. Many organisations in Johannesburg, Cape Town, Durban, and Pretoria run mixed environments where old enterprise tools connect to newer cloud services. That makes asset visibility a real security issue, not just a compliance box.

We’ve seen this same pressure in other attacks too. Our recent coverage of fake IT worker ransomware attacks showed how criminals mix software weaknesses with social engineering to get inside businesses.

What should IT teams check now?

Security teams should start with exposure.

They need to know whether they run PeopleSoft PeopleTools 8.61 or 8.62, whether Environment Management Hub endpoints are reachable from the internet, and whether Oracle’s recommended mitigations have been applied.

What should IT teams check now? What should IT teams check now?

The next question is whether attackers already touched the environment. Google says the campaign used disguised MeshCentral agents, so teams should review logs for unusual admin commands, unexpected remote management tools, strange outbound connections, and new accounts created during the attack window.

The bigger story is not just Oracle. It’s the way attackers keep targeting business software that sits deep inside companies. These platforms may not look exciting, but they hold the keys to payroll, identity, finance, and trust.

FAQs

What is the Oracle PeopleSoft security bug?

This is CVE-2026-35273. It is an exploitable security issue in Oracle PeopleSoft PeopleTools software. Oracle states that attackers may abuse this flaw from afar and without authentication, increasing the danger for vulnerable systems.

Who is behind the Oracle PeopleSoft attacks?

Google linked the campaign to ShinyHunters, which it tracks as UNC6240. The group is known for data theft and extortion campaigns against large organisations.

Were South African companies affected?

There is no confirmed public evidence yet that South African organisations were hit in this specific campaign. Still, any local company or university using affected PeopleSoft versions should check exposure and apply Oracle’s guidance immediately.

Can hackers steal employee or student data through this Oracle flaw?

Most likely yes. Since PeopleSoft tends to store HR and payroll information along with other important details of this kind, hackers will be able to gain access to this information too in case of successful exploitation of the identified vulnerability.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW