ShinyHunters Exploited an Oracle PeopleSoft Zero-Day for Two Weeks Before a Patch Existed
The extortion crew tracked as UNC6240 spent May 27 through June 9 inside university PeopleSoft environments — stealing student records, HR files, and financial data — while Oracle's advisory sat unpublished.

Oracle PeopleSoft deployments at multiple universities were breached by the ShinyHunters extortion group starting May 27, 2025, with intrusions continuing undetected for nearly two weeks before Oracle released a security advisory on June 10.
A Zero-Day Window That Lasted Fourteen Days
Mandiant tracks the operational cluster behind this campaign as UNC6240, a designation it aligns with the ShinyHunters threat group. The timeline is the story. Attackers were actively exfiltrating data from production PeopleSoft environments from May 27 through June 9. Oracle published its advisory on June 10. That sequence means defenders had no CVE to track, no patch to deploy, and no vendor-issued indicators to hunt on — for the entire duration of the campaign.
The vulnerability lived in PeopleSoft itself, though Oracle has not publicly detailed the precise component affected. What is clear: it was unpatched, it was exploitable remotely, and ShinyHunters found it first.
Why Universities Were the Primary Targets
This was not random. PeopleSoft is the backbone of administrative IT at hundreds of colleges and universities — managing student information systems, payroll, HR records, and donor databases. That concentration of sensitive, high-value data in a single platform makes it exactly the kind of target ShinyHunters has historically preferred.
The group skips ransomware encryption entirely. Their model is simpler and, in some ways, harder to recover from: steal the data, demand payment for its suppression, and threaten to post it publicly if the victim refuses. Student records are subject to FERPA. Payroll data carries its own regulatory weight. Donor files are reputationally explosive. The extortion calculus is built around that sensitivity.
Mandiant has characterized the campaign as targeted rather than opportunistic. ShinyHunters appears to have selected institutions based on data value, not just exposure. Extortion demands varied by victim, and at least some universities declined to pay. Others have not publicly confirmed their status.
ShinyHunters' Track Record Matters Here
This group is not a new entrant. ShinyHunters has run data-theft-and-extortion operations for years, with a history that includes the wave of Snowflake-customer breaches, AT&T, and a long catalogue of leaked databases posted to cybercrime forums that have since been seized by law enforcement. Their infrastructure persists. Their leak site remains active. Universities that declined payment may be named there.
Mandiant's UNC6240 clustering gives defenders something actionable: the group has published indicators tied to UNC6240's infrastructure, including outbound connection targets and behavioral patterns consistent with bulk reads against PeopleSoft application tables. Incident response teams should sweep authentication logs from the window of May 27 through June 9 for any of those signals.
What Failed — and Why It Matters to Every PeopleSoft Shop
Two distinct control failures shaped this incident, and both deserve examination.
First: patch latency. Oracle operates on a quarterly patching cycle. That schedule made sense in an era when vulnerabilities were discovered and reported through coordinated disclosure, giving vendors time to develop fixes before attackers knew a flaw existed. The PeopleSoft campaign shows what happens when a threat actor finds and weaponizes a flaw faster than the vendor's cycle turns. The result is a structural gap — not a failure of any individual security team, but a feature of enterprise software governance that adversaries are actively mapping and exploiting. Security teams running PeopleSoft need to confirm patch status across every environment right now, including development and staging instances that frequently trail production by weeks.
Second: detection without vendor guidance. When there is no CVE, no advisory, and no patch, defenders are flying without instruments. Behavioral detection — monitoring for anomalous bulk reads, unusual authentication patterns, unexpected outbound connections from application servers — becomes the only viable layer. Most PeopleSoft deployments do not have that baseline tuned tightly enough. ShinyHunters exploited that gap as much as the technical vulnerability itself.
Organizations in higher education, where IT security teams are often smaller relative to the complexity of the environment, face a compounded challenge. Security awareness is typically framed as a phishing problem, but this incident shows that training programs need to extend beyond end-user phishing simulations to include administrator-level recognition of anomalous system behavior — the kind of signals that might have surfaced an active intrusion before data left the network.
What Defenders Should Do Right Now
The immediate priority is patch verification. Pull the Oracle June 10 advisory and confirm that every PeopleSoft instance in your environment — production, dev, staging, test — has been patched. Attackers do not distinguish between environment types when they are hunting for a foothold.
Beyond patching, the forensic window is May 27 through June 9. Authentication logs, outbound network connections from PeopleSoft application servers, and database query logs from that period are the relevant artifacts. Mandiant's published UNC6240 indicators should be used to build detection rules and sweep historical traffic.
Any institution that received an extortion communication during or after that window should involve legal counsel immediately and report to the FBI's Internet Crime Complaint Center (IC3). Payment does not guarantee data suppression — ShinyHunters has historically posted data regardless of payment status in some prior campaigns.
Finally, higher-education CISOs should treat this as a forcing function for a broader conversation: PeopleSoft is core infrastructure, not a peripheral application. It deserves the same network segmentation, privileged access controls, and behavioral monitoring that would be applied to a payment system. If it does not have those controls today, that gap is the risk.
No confirmed victim count has been released publicly. The investigation is ongoing. Mandiant's characterization of the campaign as targeted suggests the full scope may be larger than current disclosures reflect.
How This Breach Could Have Been Caught Earlier
- Apply Oracle's June 10 PeopleSoft advisory immediately across all environments — production, staging, and dev — and verify patch status with a configuration audit.
- Enable behavioral monitoring on PeopleSoft application servers: alert on bulk database reads, unusual outbound connections, and authentication anomalies, especially outside business hours.
- Train system administrators and IT operations staff to recognize and escalate indicators of active intrusion — anomalous query volumes, unexpected service account activity — before data leaves the network.
Train2Secure's security-awareness programs cover both end-user and technical-staff scenarios, helping your team recognize the behavioral signals that vendor advisories can't provide during a zero-day window.
Start free — no card requiredSources & further reading
Frequently asked questions
What vulnerability did ShinyHunters exploit in Oracle PeopleSoft?
Mandiant's UNC6240 cluster exploited an unpatched flaw in Oracle PeopleSoft that allowed remote access to production environments. Oracle published its advisory on June 10, 2025, after attackers had already operated inside victim networks for approximately two weeks. The specific CVE details are contained in Oracle's June 2025 security advisory.
Which organizations were affected by the PeopleSoft zero-day campaign?
Higher education institutions were the primary targets. PeopleSoft is widely deployed in universities for student information systems, HR, and finance — data categories ShinyHunters has historically targeted for maximum extortion leverage. No confirmed victim count has been publicly released.
Should affected universities pay the extortion demand?
Law enforcement and incident response professionals uniformly advise against payment. ShinyHunters has a track record of posting data regardless of payment in some prior campaigns, and payment does not guarantee suppression. Affected institutions should contact the FBI's IC3 and engage legal counsel immediately.
How can organizations detect whether they were compromised during the May 27–June 9 window?
Review authentication logs, outbound network connections from PeopleSoft application servers, and database query logs from May 27 through June 9. Use Mandiant's published UNC6240 indicators to build detection rules and sweep historical traffic for connections to known attacker infrastructure.



