Between May 27 and June 9 of this year, a large-scale attack once again demonstrated the vulnerability of educational institutions. The ShinyHunters group, also known as UNC6240, successfully exploited the critical zero-day vulnerability CVE-2026-35273 in Oracle PeopleSoft software. This occurred even before Oracle published an official advisory on June 10, 2026 (Mandiant, 2026).
This incident exemplifies how cybercriminals leverage the time gap between vulnerability discovery and patch release, jeopardizing confidential data and operational resilience for organizations, particularly within the education sector.
Threats to educational institutions: the ShinyHunters attack
Cyberattacks on educational institutions are not a new phenomenon, but their intensity is increasing. Universities and research institutes possess vast amounts of valuable data: personal information of students and faculty, financial records, research results, and intellectual property. This information is an attractive target for cybercriminals.
The ShinyHunters group claimed to have compromised over 100 organizations, utilizing approximately 300 PeopleSoft instances. Roughly two-thirds (68%) of the affected entities are universities and colleges, predominantly in the United States (Mandiant, 2026). This statistic underscores that the education sector has become a priority target for malicious actors.
CVE-2026-35273: a technical analysis of the vulnerability
The CVE-2026-35273 vulnerability is a critical Remote Code Execution (RCE) flaw in the PeopleSoft Enterprise PeopleTools Environment Management component (versions 8.61 and 8.62). Its CVSS score is 9.8, indicating a high level of danger. According to Oracle (2026), the primary threat lies in the fact that exploitation requires neither authentication nor user interaction. This means an attacker can gain full control over a vulnerable system simply by sending a specially crafted request.
Such a zero-day vulnerability allows attackers to operate undetected until the developer releases a patch, and organizations have time to install it. In the case of PeopleSoft, this provided ShinyHunters with a significant window of opportunity to conduct attacks before public disclosure.
Why universities are a vulnerable target
Beyond the value of their data, several structural reasons contribute to universities frequently becoming victims of cyberattacks:
- Infrastructure Complexity: Educational institutions often have extensive and decentralized IT infrastructures with numerous legacy systems running alongside modern solutions. This creates multiple attack vectors.
- Limited Resources: Cybersecurity budgets in the education sector often lag behind those of commercial organizations, leading to a shortage of skilled professionals and up-to-date protection tools.
- Network Openness: University networks are traditionally more open to research and collaboration, which complicates the implementation of stringent security policies.
- Human Factor: A large user base (students, faculty, administrative staff) with varying levels of cybersecurity awareness creates opportunities for phishing and social engineering.
A common pitfall: legacy ERP as a security bottleneck
Many universities rely on monolithic Enterprise Resource Planning (ERP) systems, such as Oracle PeopleSoft, which were deployed decades ago. While these systems perform critical functions (student management, finance, HR), they often become bottlenecks in terms of security and flexibility. Outdated architectures and the complexity of upgrades make them ideal targets for attacks.
Delayed patching, lack of proper monitoring, and outdated access management practices transform such systems into significant risks. When a zero-day vulnerability like CVE-2026-35273 is discovered, the consequences can be substantial.
Architectural approach: decomposing ERP for enhanced resilience
To improve resilience against similar attacks, educational institutions should consider a strategy of decomposing monolithic ERP systems. This does not mean abandoning existing investments entirely, but rather a phased modernization and migration of functions to a microservices architecture or specialized solutions.
For instance, instead of keeping all functionality within a single PeopleSoft monolith, individual modules can be extracted as independent services. This allows for:
- Risk Isolation: Compromise of one service does not necessarily lead to the compromise of the entire system.
- Faster Updates: Patches and updates can be applied to individual services more quickly than to the entire monolith.
- Increased Flexibility: New features and technologies can be integrated more easily without affecting the stability of the core system.
- Enhanced Security: Individual security and monitoring policies can be applied to each service.
Such an approach may involve using an API Gateway for managing access to internal services, implementing centralized Identity and Access Management (IAM), and integrating with SIEM systems for anomaly monitoring. Low-code platforms, such as UnityBase (an open-source low-code platform developed by InBase), offer similar architectural flexibility, enabling the creation and integration of independent services with existing ERPs.
CISA recommendations for critical infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has developed the Cross-Sector Cybersecurity Performance Goals (CPG) – foundational cybersecurity practices for critical infrastructure. According to CISA (2026), these goals serve as a benchmark for critical infrastructure operators to assess and enhance their cyber maturity. For educational institutions, as part of this critical infrastructure, these recommendations are particularly relevant.
Key aspects of the CPG important for universities include:
- Vulnerability Management: Regular scanning, assessment, and remediation of vulnerabilities, especially in critical systems.
- Identity and Access Management (IAM): Implementation of multi-factor authentication (MFA), the principle of least privilege, and access segmentation.
- Data Protection: Encryption of sensitive data, backups, and incident recovery plans.
- Monitoring and Detection: Implementation of SIEM for centralized collection and analysis of event logs.
- Incident Response Planning: Development and regular testing of incident response plans.
The ShinyHunters and Oracle PeopleSoft incident serves as another reminder that cybersecurity is a continuous process requiring constant attention and adaptation. For universities, this means not only responding to current vulnerabilities but also strategically rethinking their IT system architectures and implementing proactive protection measures.
ERP system threat readiness checklist
- Has an audit of Oracle PeopleSoft and other critical ERP versions been conducted to identify known vulnerabilities?
- Is there a documented plan for responding to zero-day vulnerabilities?
- Is a strategy for phased decomposition of monolithic ERP systems being considered to enhance resilience?
- Is monitoring for anomalous requests to ERP systems implemented (e.g., via SIEM/UEBA)?
- Do current access management practices align with CISA CPG recommendations (MFA, principle of least privilege)?
- Is regular staff training conducted on recognizing phishing attacks aimed at gaining access to ERP systems?