ShinyHunter Attack in PeopleSoft
Book a focused PeopleSoft security assessment with Pathlock to quickly identify potential exposure to current threat activity, uncover access and control gaps, and leave with clear next steps to strengthen your security posture.
Get a Free PeopleSoft Security Assessment
Assess your PeopleSoft exposure now to detect targeting, validate controls, and reduce ERP security risk before attackers expand their access.
Attack Anatomy
How ShinyHunters breached 100+ organizations
01
Zero-day gadget chain exploit (CVE-2026-35273)
Attackers chained known older vulnerabilities with an unpatched zero-day
to authenticate as privileged users and execute actions through the PeopleSoft application
layer — without needing valid credentials to start.
02
Automated attacks on default admin accounts
Scripts targeted SSH using default PeopleSoft admin usernames endemic to
most deployments:
psoft oracle
linuxadm. When passwords failed, they used SSH keys stored in
app server config files (psappsrv.cfg).
03
Silent data exfiltration via PeopleSoft queries
Attackers used PeopleSoft's own query tools to export student records,
payroll, health data, and immigration information, without triggering any transactional
log. Native PeopleSoft does not track what data is viewed or exported.
!
Ransom note dropped on web and app servers
After exfiltration, attackers deployed a ransom note. If this file
exists in your environment, your data has already left the building.
Root Cause
Why standard PeopleSoft configurations failed
This attack succeeded at scale because of well-known configuration gaps that most PeopleSoft organizations haven't addressed.
No IP-level access controls
No native way to block logins from unexpected IPs. Many organizations
couldn't even see where connections originated.
Admin accounts outside SSO
Default admin accounts connect directly to PeopleSoft, bypassing SSO and
MFA entirely — invisible to your identity provider.
No application-layer logging
PeopleSoft doesn't log data views or exports by default. Once data leaves
via query, there's no forensic record.
Credentials in config files
App server config files (psappsrv.cfg) can hold plaintext credentials. File
access equals admin access — bypassing all auth controls.
No contextual policy engine
PeopleSoft SSO/MFA has no rules engine. It can't evaluate IP, device, time,
or location and respond dynamically.
Exposed default credentials
Default usernames (psoft, oracle, linuxadm) are endemic to PeopleSoft. They
exist as direct backdoors if not locked down.
How Pathlock helps
Pathlock installs as a lightweight plug-in on your PeopleSoft web server - no new hardware, no custom development, no disruption to updates.
Zero Trust MFA
MFA enforced at login and at field/page/component level — including admin
accounts outside your SSO/IDP. Stolen or default credentials alone cannot grant access.
IP & Contextual Controls
Every request evaluated against IP, geography, device, and time of day. SSH
from unknown IPs using admin accounts is automatically blocked before any data is reached.
A360 Threat Analytics
Real-time monitoring of auth trends, failed attempts, and anomalies.
Brute-force patterns trigger immediate alerts — before data is exfiltrated, not after.
Granular Activity Logging
Every data interaction logged at field, page, and component level with User
ID, IP, browser, location, and timestamp. The forensic record exists from day one.
Dynamic Data Masking
SSNs, bank accounts, health data, and compensation fields masked at UI
layer. Even with access, attackers see only masked values — limiting the value of anything
exfiltrated.
Act Right Now
What to expect in your PeopleSoft security assessment
1
Review known ShinyHunters indicators across your PeopleSoft logs, IPs, domains, and file artifacts.
2
Assess authentication, logging, and access controls tied to the latest attack vectors.
3
Identify exposure points such as default credentials, unmanaged admin accounts, and unmonitored SSH paths.
4
Map where privileged access may sit outside your IDP, MFA, or governance policies.
5
Leave with a clear risk summary and prioritized next steps to reduce exposure quickly.
Know your exposure. Before attackers do.
We'll assess your organization's PeopleSoft security posture against the ShinyHunters attack vectors, confirming whether you were targeted and identifying where your environment is exposed right now.
Schedule a Call with a Pathlock Expert
Schedule a Call with a Pathlock Expert
No sales pitch. A security expert, your logs, and a clear picture of your risk.