68% of Targets in Education: ShinyHunters Exploit Oracle Zero-Day Before Patch

For cybersecurity teams defending higher education, the combination of a zero-day exploit in a critical ERP suite and a known extortion group like ShinyHunters constitutes a perfect storm. The campaign, now detailed by Google’s threat intelligence unit, underscores how attackers target the education sector’s often under-resourced security posture with advanced techniques. With 68% of the more than 100 organizations notified belonging to higher education, this incident serves as a stark reminder that patching delays can be catastrophic.

A newly disclosed active compromise and extortion campaign leverages a zero-day vulnerability in Oracle’s PeopleSoft enterprise resource planning suite, marking a sharp escalation in targeted attacks against the education sector. Google’s Mandiant unit and its Threat Intelligence Group announced on June 11 that between May 27 and June 9, the hacking group ShinyHunters actively scanned for and exploited unpatched PeopleSoft instances, deploying customized MeshCentral agents disguised as legitimate cloud endpoints for command and control. Oracle did not issue a security advisory for the flaw until June 10, meaning the entire intrusion window occurred before a patch was available, giving defenders no opportunity to close the door preemptively. Google said it notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints; 68% of those were in higher education, and most were based in the United States.

“

The fact that 68% of notified entities were in higher education could signal that ShinyHunters specifically targeted known PeopleSoft users in that vertical, possibly through scanning tools that fingerprint the software.

The PeopleSoft platform is a core system for managing human resources, finance, and supply-chain operations at thousands of organizations globally. Its deep integration into university administrative processes—from student records to payroll—makes a successful compromise extraordinarily disruptive. The education sector has long been a soft target: often underfunded security teams, sprawling perimeters, and the open nature of campus networks create an environment where zero-day exploitation can go undetected for weeks. This incident underscores how threat actors are increasingly pairing advanced technical tradecraft with institutional knowledge of sector-specific weaknesses.

The technical details reveal a sophisticated approach. By hosting MeshCentral agents—a legitimate remote management tool—disguised as cloud endpoints, ShinyHunters effectively blended their actions with benign administrative traffic, complicating detection. Once installed, the agents could execute arbitrary commands with PeopleSoft’s administrative privileges, potentially exfiltrating sensitive data or deploying ransomware. The timing suggests the group moved quickly after discovering the flaw, possibly via underground exploit markets or independent research, and launched a focused campaign before Oracle could respond.

The extortion angle is consistent with ShinyHunters’ history. The group has previously targeted global enterprises and, notably, struck a deal with Instructure—the parent of the education tool Canvas—just last month to secure stolen student and school data. That pattern indicates a calculated strategy of infiltrating educational platforms, stealing data, and demanding payment under the threat of public exposure or data destruction. Higher education institutions hold vast troves of personally identifiable information, research data, and intellectual property, making them high-value extortion targets.

For Oracle, the zero-day revelation puts the company in a difficult position. While the advisory was published promptly after the campaign came to light, the delay between early exploitation and disclosure raises questions about incident coordination and threat intelligence sharing. Organizations reliant on PeopleSoft will now scramble to patch, but many universities operate on academic-year cycles with rigid change management windows, leaving some exposed for extended periods. The fact that 68% of notified entities were in higher education could signal that ShinyHunters specifically targeted known PeopleSoft users in that vertical, possibly through scanning tools that fingerprint the software.