The threat actor group ShinyHunters is actively targeting higher education institutions in an extortion campaign leveraging a critical, unpatched vulnerability in Oracle PeopleSoft. Since late May, this group has been exploiting this security flaw to exfiltrate sensitive data and pressure universities into paying ransoms.
As of this reporting, Oracle has not released a patch for this vulnerability. This creates a critical window of exposure for security teams. Relying on standard patch cycles is not an option. Defenders must immediately shift to a "virtual patching" posture, implementing aggressive network segmentation, WAF rules, and monitoring to detect active exploitation attempts. The stakes are high: higher education databases contain vast amounts of PII, financial aid data, and research intellectual property, making them prime targets for extortion.
Technical Analysis
Affected Product: Oracle PeopleSoft Enterprise (specifically the PeopleSoft Internet Architecture - PIA).
Vulnerability Status: Zero-Day / Unpatched.
Threat Actor: ShinyHunters. Known for data theft and extortion, the group has moved from exploiting misconfigured S3 buckets to actively leveraging software vulnerabilities in enterprise applications.
Attack Vector: The vulnerability exists within the PeopleSoft web interface. While specific technical details (CVE) are withheld to prevent further exploitation until a patch is available, the attack chain typically involves:
- Initial Access: External scanning of PeopleSoft PIA endpoints (often
/psp/or/psc/paths). - Exploitation: Abuse of the unpatched flaw to bypass authentication or gain remote code execution (RCE) on the underlying web server.
- Data Exfiltration: Extraction of database contents, often utilizing the application's own credentials or direct database access if RCE is achieved.
- Extortion: Contacting the victim with proof of data theft and demanding payment to prevent public release.
Exploitation Requirements: The attack is internet-facing. Any instance of PeopleSoft PIA exposed to the public web is currently at immediate risk. Internal-only instances are safer but vulnerable to lateral movement if the perimeter is breached.
Detection & Response
Because the vulnerability remains unpatched, detection is your primary safety net. You must assume compromise and hunt for signs of active scanning or successful webshell deployment.
SIGMA Rules
These rules target the typical behaviors associated with web application exploitation on PeopleSoft servers and the subsequent execution of unauthorized commands.
---
title: Potential Webshell Activity via PeopleSoft Web Server
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects the web server process spawning a shell or powershell, indicative of successful RCE or webshell upload.
references:
- https://cyberscoop.com/oracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion/
author: Security Arsenal
date: 2026/05/28
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\java.exe'
- '\tomcat*.exe'
- '\beasvc.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate administrative debugging by authorized personnel
level: critical
---
title: Suspicious PeopleSoft URI Scanning
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects high-frequency scanning of PeopleSoft specific paths, often indicative of vulnerability scanning.
references:
- https://cyberscoop.com/oracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion/
author: Security Arsenal
date: 2026/05/28
tags:
- attack.discovery
- attack.t1595
logsource:
category: webserver
product: apache
# Add nginx/iis as needed based on your PIA configuration
detection:
selection_uri:
c-uri|contains:
- '/psp/'
- '/psc/'
- '/PSIGW/'
selection_status:
sc-status:
- 200
- 500
selection_rate:
count: 50
timeframe: 1m
condition: selection_uri and selection_status | count() by src_ip > selection_rate
falsepositives:
- Heavy load testing or legitimate automated integrations
level: high
KQL (Microsoft Sentinel / Defender)
Use this query to hunt for suspicious access patterns to the PeopleSoft Internet Architecture (PIA) in your proxy or WAF logs.
// Hunt for anomalous access to PeopleSoft endpoints
let TimeRange = 1h;
let PeopleSoftPaths = dynamic(["/psp/", "/psc/", "/PSIGW/", "/servlets/"]);
CommonSecurityLog
| where TimeGenerated > ago(TimeRange)
| where RequestURL has_any(PeopleSoftPaths)
| extend Path = extract(@"(/psp/[^/]+/[^/]+/s/WEBLIB_.*\.Iscript)", 0, RequestURL) // Example sensitive path pattern
| summarize RequestCount = count(), UniqueEndpoints = dcount(RequestURL), DistinctStatusCodes = dcount(StatusCode) by SourceIP, DestinationIP
| where RequestCount > 100 // High frequency threshold
| project-away RequestCount
Velociraptor VQL
This artifact hunts for processes spawned by the web server user/group, which is a strong indicator of successful RCE on Linux-based PeopleSoft deployments.
-- Hunt for web server processes spawning shells (Linux)
SELECT Pid, Name, CommandLine, Username, Exe
FROM pslist()
WHERE Username =~ 'www-data' OR Username =~ 'oracle' OR Username =~ 'psadmin'
AND Name IN ('bash', 'sh', 'zsh', 'python', 'perl', 'nc')
AND CommandLine !~ 'scripts/monitor' -- Filter out legit monitoring scripts
Remediation Script (Bash)
Since no patch exists, this script helps harden the environment by auditing file permissions (looking for webshells) and checking for exposed configurations. Run this on your PeopleSoft web servers.
#!/bin/bash
# Audit PeopleSoft Web Server for potential compromise indicators
# Note: Requires root privileges.
echo "[+] Starting PeopleSoft Security Audit"
# 1. Check for recently modified files in web directories (Last 24 hours)
# Adjust path (/u01/app/...) to match your installation
WEB_ROOT="/u01/app/oracle/psft/webserv"
if [ -d "$WEB_ROOT" ]; then
echo "[+] Checking for recently modified files in $WEB_ROOT (last 24h)..."
find "$WEB_ROOT" -type f -mtime -1 -ls
else
echo "[-] Web root not found at $WEB_ROOT. Please update the script path."
fi
# 2. Check for active network connections established by web server user
# Look for reverse shells
echo "[+] Checking for suspicious outbound connections from web server user..."
# Common web users: www-data, psft, oracle
for user in www-data psft oracle; do
echo "--- Checking connections for user: $user ---"
lsof -u $user -i -a -n 2>/dev/null | grep ESTABLISHED
done
# 3. Check for writable directories in web root
echo "[+] Checking for world-writable directories in web root..."
find "$WEB_ROOT" -type d -perm -o+w -ls
echo "[+] Audit complete. Review findings for anomalies."
Remediation
With no vendor patch currently available, immediate mitigation relies on compensating controls:
- Network Segmentation (CRITICAL): Move PeopleSoft PIA servers behind a VPN or restrict access strictly to known source IP ranges (Campus network, trusted partner IPs). Do not leave the PIA exposed to the entire internet.
- Web Application Firewall (WAF): Deploy strict WAF rules. While a specific signature for this zero-day may not exist yet, enable rate limiting and aggressive rule sets for generic SQL Injection (SQLi), Remote Code Execution (RCE), and path traversal on the
/psp/and/psc/endpoints. - Disable Unused Components: Review the PeopleSoft configuration (
configuration.properties) and disable any unnecessary Integration Gateways or services that are not actively used. - Review Logs: Immediately audit web server access logs for the last 30 days. Look for unusual spikes in 200 OK responses on
/PSIGW/or/s/WEBLIB_URLs, or access attempts from anomalous geolocations. - Prepare for Patching: Monitor the Oracle Critical Patch Update (CPU) advisory and Security Alerts page daily. Once a patch is released, prioritize it above all other maintenance.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.