Oracle warns of PeopleSoft flaw exploited in campaign targeting 100+ companies

At a glance:

• Oracle warned corporate customers about a critical PeopleSoft vulnerability that can be exploited over the internet without authentication.
• Mandiant says the same bug is being abused by ShinyHunters in a campaign affecting more than 100 organizations, mostly in the United States.
• Oracle had not released a patch at the time of writing, but advised PeopleSoft users to apply its mitigations immediately.

What Oracle warned customers about

Oracle has alerted corporate customers to a critical-rated vulnerability in PeopleSoft, the enterprise software suite widely used to manage payroll, human resources, and related administrative systems. The warning came a day after the cybercrime group ShinyHunters claimed responsibility for abusing the flaw in a mass-hacking campaign targeting PeopleSoft servers.

According to Oracle’s security advisory, the vulnerability can be exploited remotely over the internet without requiring authentication, such as a password. That makes it especially dangerous for exposed PeopleSoft instances, because attackers may be able to reach vulnerable systems directly without first stealing credentials or bypassing a login prompt.

Oracle said it had not released a patch for the vulnerability at the time of writing. Instead, the company recommended that customers using PeopleSoft software apply its mitigations to prevent exploitation while a permanent fix is not yet available.

How the campaign unfolded

On Wednesday, a ShinyHunters member told TechCrunch that the group compromised organizations by abusing an unpatched flaw in PeopleSoft servers. The vulnerability was described as a zero-day because Oracle had no time to fix it before it was discovered and exploited in the wild.

Mandiant, the Google-owned security unit that investigates cyberattacks, later confirmed in a blog post that the new Oracle flaw is the same bug ShinyHunters is using in its campaign against PeopleSoft customers. Mandiant said it had notified more than 100 global organizations, most of them in the United States, to help restrict access to potentially vulnerable systems.

The victim profile appears to match ShinyHunters’ earlier claims. Mandiant said about two-thirds of the organizations it contacted are in higher education, while a ShinyHunters member told TechCrunch that some of the hacked organizations are universities and colleges.

What data may be at risk

Mandiant said the outcome varied by organization. “While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters [Data Leak Website],” the company wrote.

The hacker who spoke to TechCrunch shared a message they said was sent to one of the victim schools. In that message, the hackers claimed to have stolen “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses,” among other data.

That alleged data set highlights why PeopleSoft incidents can have a long tail for affected organizations. HR and payroll systems often hold sensitive employee, student, and operational records, so a successful breach can create years of identity-theft, privacy, and compliance exposure for the people whose information was stored in those systems.

A wider ShinyHunters pattern

PeopleSoft and its customers are the latest targets in a broader run of campaigns where ShinyHunters has focused on organizations sharing the same vulnerable software. The group’s approach is to identify exposed platforms, exploit a common weakness at scale, steal corporate or customer data, and then threaten to release it unless victims pay a ransom.

In the last year, the group targeted several companies that use Salesforce and Gainsight, as well as software provided by education technology company Instructure, among others. Earlier this year, Instructure said it paid the hackers after they breached the company’s systems twice.

ShinyHunters has also targeted schools through education software beyond PeopleSoft. As part of its Instructure-focused campaign, the group defaced the login pages of several schools that use Instructure’s popular school information portal Canvas.

What organizations should do next

For PeopleSoft customers, the immediate priority is to determine whether their systems are exposed to the internet and whether the Oracle mitigation guidance applies to their deployment. Because Oracle said exploitation does not require authentication, organizations should assume that any exposed vulnerable endpoint could be reachable by attackers without valid credentials.

Mandiant’s warning also suggests that security teams should not wait for proof of compromise before acting. Even if an organization has not seen suspicious activity, it should restrict access to potentially vulnerable systems, review logs for exploitation attempts, and validate whether any data was accessed or exfiltrated.

Oracle did not respond to TechCrunch’s request for comment. The company’s advisory, however, makes the operational message clear: customers running PeopleSoft should apply the recommended mitigations quickly, monitor for signs of compromise, and prepare for a patch when Oracle releases one.