ForumsExploitsOracle PeopleSoft Under Siege: ShinyHunters (UNC6240) Targeting Universities via CVE-2026-35273

Oracle PeopleSoft Under Siege: ShinyHunters (UNC6240) Targeting Universities via CVE-2026-35273

Firewall_Admin_Joe 6/11/2026 USER

Just when we thought the June patch tsunami was slowing down, news drops about ShinyHunters actively exploiting CVE-2026-35273 in Oracle PeopleSoft before Oracle even dropped the advisory.

It is concerning that Mandiant (tracking this as UNC6240) places active exploitation between May 27 and June 9, but the advisory didn't land until June 10. That is a solid two-week window where universities were essentially flying blind. Since PeopleSoft is the backbone for so many higher-ed institutions (housing PII, financial aid, etc.), this is a goldmine for extortion groups.

I am seeing reports suggesting this involves the PeopleSoft Integration Gateway (PSIGW). If you are managing these environments, you need to hunt for suspicious URI patterns immediately.

Here is a basic KQL query to help hunt for anomalies in your web gateway logs during the known window of exploitation:

// Hunt for abnormal PeopleSoft Integration Gateway traffic
WebEvent
| where Url has "PSIGW" and TimeGenerated between(datetime(2026-05-20) .. datetime(2026-06-15))
| extend MimeType = tostring(coalesce(ResponseHeaders['Content-Type'], ''))
// Filter for typical exploit indicators: unexpected status codes or weird content types
| where StatusCode == 200 or StatusCode == 500
| where UserAgent !contains "PeopleSoft"
| project TimeGenerated, SrcIp, Url, UserAgent, StatusCode, MimeType
| summarize Count = count() by SrcIp, Url, UserAgent
| where Count > 5
| order by Count desc

Anyone in the edu sector seeing residual IOCs? Or are we all just frantically patching legacy ERP systems today?

FO
Forensics_Dana6/11/2026

Good catch on the PSIGW focus. We've seen noise in our logs around PeopleSoftServlet which often gets abused in these deserialization scenarios.

Just a heads up—standard signatures weren't catching this early on because the traffic looked somewhat like valid integration testing. We started pivoting to looking at the 'User-Agent' strings and realized the attackers were failing to spoof the standard PeopleSoft UA headers correctly.

Also, if you haven't already, block outbound connections from your app servers to non-whitelisted IPs. That stopped the exfil for us during the test environment replication.

PE
Pentest_Sarah6/11/2026

From a pentester's perspective, these legacy ERP systems are low-hanging fruit because they are often exposed directly to the internet for 'integrations'.

I recommend checking if you have the PSPT servlet enabled. In the last few engagements, I've found that specific servlet is rarely used but frequently targeted for initial access. If you don't need it, disable it at the web server level immediately.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/11/2026
Last Active6/11/2026
Replies2
Views35