A two-week head start: how one Oracle bug became a crisis for U.S. universities
Attackers had unauthenticated access to campus ERP systems for nearly two weeks before a patch existed, and higher education absorbed most of the damage.
For IT staff at one breached university, the first sign of trouble wasn't an alarm. It was a note left behind in their own files, almost gloating, announcing the system had already been compromised. By the time anyone found it, the intruders were gone, and so, potentially, were the personal records of thousands of students, alumni, and employees. This played out nationwide in late May and June, after a previously unknown flaw in Oracle's PeopleSoft software gave an extortion gang a two-week head start before anyone knew there was a problem.
What happened
On June 10, Oracle issued an emergency, out-of-band alert for a vulnerability tracked as CVE-2026-35273, affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, with earlier, unsupported versions likely vulnerable too. The flaw sits in the Environment Management Hub, part of the machinery behind PeopleSoft's HR, payroll, finance, and student-records modules. It scored a near-maximum 9.8 in severity because exploiting it needs no password, no user interaction, and no special access, just a network connection.
The hacking group ShinyHunters treated it accordingly. Google's Mandiant, tracking the group as UNC6240, found evidence attacks began around May 27, nearly two weeks before Oracle's advisory. This was a true zero-day, exploited before a fix or public awareness existed.
Attackers deployed remote-management tools disguised as Microsoft Azure software, then moved laterally, spraying stolen credentials internally and pulling out data in compressed archives. Mandiant traced the operation to staging servers the attackers had left exposed, which is how researchers first connected the dots.
Mandiant notified more than 100 organizations showing signs of exposure or compromise. Roughly 68% were colleges and universities, most in the United States. The University of Nottingham confirmed a breach affecting roughly 455,000 email addresses tied to students and alumni, plus names, addresses, phone numbers, passport numbers, and demographic data. Other organizations, including the National Association of Insurance Commissioners, confirmed unauthorized access, though NAIC disputes the scope attackers have publicly claimed.
Why it matters for Texas institutions
PeopleSoft is foundational infrastructure in higher education. Texas public universities, community college districts, and state agencies have run it for HR, payroll, financial aid, and student records for two decades. Any campus running PeopleTools 8.61, 8.62, or an unsupported earlier release was potentially exposed for the entire window between late May and June 10.
Universities were the hardest-hit sector nationally for a simple reason: student information systems concentrate the data that fuels extortion, including Social Security numbers, financial aid records, health information, immigration status, and family financial data. A breach at a Texas institution would carry the same weight as the Nottingham case, potentially triggering obligations under Texas breach-notification law, FERPA, and federal reporting rules for institutions with international students. Community colleges and state agencies with leaner security teams face identical exposure with fewer resources to respond quickly.
What your institution should do
The most urgent step is confirming whether your PeopleSoft environment runs an affected version and whether the Environment Management Hub (PSEMHUB) is reachable from outside your network. Oracle's guidance: disable that service on multi-server installations, or remove PSEMHUB outright on single-server setups. If neither is immediately feasible, block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at your perimeter; this does not interfere with normal logins, so there is little reason to delay.
Because the exploitation window predates disclosure, assume compromise is possible even without an alarm, and hunt for it. Review WebLogic access logs for external requests to those paths, check for unfamiliar .jsp files inside the PSEMHUB directory, and look for recently modified XML files that could signal planted persistence.
Once mitigations are in place, apply Oracle's full patch as soon as confirmed available through My Oracle Support, since the June 10 advisory offered mitigations, not a complete fix. Finally, review exposure of legacy PeopleTools instances across every department, not just centrally managed ones, a gap decentralized university IT is especially prone to.
RSOC exists for moments like this, when one vendor advisory means urgent work across dozens of Texas campuses at once. If your institution needs help assessing PeopleSoft exposure, interpreting Oracle's guidance, or investigating potential compromise, reach out to the Regional Security Operations Center at rsoc.utexas.edu. Texas higher education is a shared target, and a coordinated response is our best defense.