PeopleSoft breach exposure shows ERP identity controls still lag

At a glance

What this is: This is Pathlock's analysis of a large-scale PeopleSoft exploitation campaign that used a vulnerability chain, weak admin controls, and application-layer gaps to compromise ERP environments.

Why it matters: It matters because ERP systems often sit outside modern IAM and NHI control assumptions, yet they still carry high-value human identity, privileged access, and sensitive data workflows.

By the numbers:

• ShinyHunters exploited Oracle PeopleSoft vulnerabilities across more than 300 instances at over 100 organizations worldwide.

👉 Read Pathlock's analysis of the PeopleSoft exploitation campaign and controls

Context

ERP identity risk is not limited to cloud consoles or SaaS admin portals. When an application like PeopleSoft exposes privileged access, sensitive records, and legacy authentication paths in one stack, attackers can move through the application layer rather than around it.

This matters for IAM, PAM, and lifecycle governance because ERP access often combines human admin accounts, service-like operational accounts, and sensitive business data in the same trust boundary. In practice, that means control failures in authentication, logging, and privilege scoping can become breach enablers even when the broader identity programme appears mature.

Key questions

Q: What breaks when ERP admin accounts can bypass central identity controls?

A: When ERP administrators can authenticate outside the IdP, MFA, conditional access, and session governance no longer apply uniformly. That creates a blind spot where privileged users can reach sensitive data through legacy paths that were never designed for modern identity assurance. The result is not just weaker security, but inconsistent accountability across the same application.

Q: Why do legacy ERP systems increase identity and access risk?

A: Legacy ERP systems often concentrate sensitive data, broad entitlements, and older authentication patterns in one environment. That combination makes it easier for a single compromised account to cross business boundaries and harder for central IAM tools to see what happened at the field or record level. Risk rises when governance treats the ERP as an exception.

Q: How can teams tell whether ERP access controls are actually working?

A: Measure whether high-privilege accounts are forced through the IdP, whether sensitive actions are logged at a granular level, and whether masking prevents unnecessary data exposure. If investigators cannot reconstruct who viewed, queried, or exported records, the control stack is not delivering usable assurance. Telemetry depth is a governance signal, not just a logging metric.

Q: Who is accountable when application-layer ERP data is stolen?

A: Accountability usually spans the application owner, IAM and PAM teams, and the data governance function because the failure crosses authentication, privilege control, and record protection. If direct admin paths, weak logging, or toxic entitlements were left in place, each control owner has to explain why the gap persisted. Shared systems still require named ownership.

Technical breakdown

PeopleSoft gadget-chain exploitation and application-layer compromise

The attack used a gadget chain, meaning a sequence of vulnerabilities that together let attackers act through PeopleSoft's own application logic. Oracle's out-of-band fix for CVE-2026-35273 shows the kind of remotely exploitable flaw that can become an initial foothold when paired with older weaknesses. The important point is that the attackers did not need to behave like database intruders. They could authenticate as privileged users or bypass authentication entirely, then use normal application APIs to reach records and administrative functions.

Practical implication: monitor and protect the application layer, not just the network perimeter or database tier.

Privileged accounts, direct authentication, and toxic access paths

The attack was amplified by default and weak administrative access patterns. Pathlock describes common admin accounts such as psoft, oracle, and linuxadm, and notes that attackers fell back to SSH key-based authentication when passwords failed. That combination turns credential hygiene into a structural control, not a housekeeping task. If high-privilege accounts can authenticate directly to PeopleSoft without going through the IdP, then MFA, policy checks, and normal identity governance controls lose coverage at the exact point of highest risk.

Practical implication: remove direct admin authentication paths and treat default accounts as active attack surface.

Why field-, page-, and component-level logging matters in ERP

ERP compromise often becomes visible only after records are queried or exported at scale. Pathlock's analysis stresses logging at the field, page, and component level, plus session metadata such as IP, user ID, timestamp, and browser. That level of detail matters because application-layer abuse can look legitimate unless the telemetry captures context and intent. Dynamic masking adds another control layer by reducing what an authenticated user can actually see, which limits damage even when access is valid.

Practical implication: instrument sensitive ERP workflows so investigators can distinguish legitimate use from data harvesting.

Threat narrative

Attacker objective: The objective was to compromise enterprise PeopleSoft environments at scale, steal sensitive institutional data, and use that access for extortion.

1. Entry occurred through a PeopleSoft gadget chain that chained known and newly disclosed vulnerabilities, enabling remote abuse of the application layer.
2. Escalation followed when attackers authenticated as privileged users or bypassed authentication, then used legitimate application APIs and direct admin paths to reach records.
3. Impact came from broad record access, lateral movement into internal PeopleSoft systems, ransom-note placement, and theft of large volumes of sensitive data.

Breaches seen in the wild

• BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ERP compromise is an identity governance problem before it is a vulnerability problem. The article shows attackers moving through PeopleSoft using the application's own authentication and authorisation paths, which means the breach succeeded where identity control boundaries were weakest. That shifts the governing question from patching alone to whether the ERP access model still assumes trusted admin paths and legitimate application use. Practitioners should treat ERP privilege as a governed identity surface, not a legacy exception.

Direct admin authentication is the failure mode, not just weak passwords. When admin accounts can authenticate outside the IdP, MFA policy, conditional access, and normal session governance stop applying consistently. That creates a control gap that attackers can exploit even when central identity tooling looks intact. The practical conclusion is that ERP administration must be brought back under the same lifecycle, assurance, and monitoring expectations as the rest of the privileged estate.

Field-level observability is now the difference between detection and post-incident reconstruction. PeopleSoft-style attacks can blend into normal business use unless logging reaches the record, field, and component level. Without that granularity, investigators see that an account was active but not what it actually consumed or exfiltrated. This is a governance issue as much as a security one because auditability depends on the system being able to explain which identity touched which data and when.

Toxic privilege combinations are the real blast-radius multiplier in ERP environments. Accounts that can query sensitive records and also hold broad administrative or operational access create a failure pattern that is larger than any single credential. The article's emphasis on HR, payroll, financial aid, and student records shows how one compromised identity can bridge business domains that should remain separately controlled. Practitioners should treat cross-domain access as a materially higher-risk governance class, not a routine entitlement.

Legacy enterprise applications are becoming a pressure test for IAM programme maturity. Many organisations have modern controls at the edge but fragmented governance inside ERP platforms, where old accounts, direct auth paths, and inconsistent logging persist. That gap matters because attackers increasingly look for the least modern part of the identity estate, not the newest. The implication is that IAM, PAM, and data control maturity must be measured where legacy applications still concentrate power.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader control lens, review Top 10 NHI Issues for the governance patterns that keep legacy access paths exposed.

What this signals

Identity governance teams should expect ERP platforms to remain attractive because they still concentrate privileges, sensitive data, and legacy authentication paths in one place. The practical response is to measure whether your ERP estate is still outside the same review, logging, and masking standards applied elsewhere. The more an application can bypass the central identity stack, the more it behaves like an ungoverned trust island.

A useful internal concept here is ERP identity exception debt: the accumulated risk created when legacy enterprise applications retain separate authentication, separate admin paths, and separate visibility standards. That debt compounds over time because each exception makes the next one easier to justify. Security leaders should track exception debt like technical debt, because it quietly becomes breach debt.

For programmes that already own privileged access and lifecycle governance, the next step is to extend those controls into the application layer. The control question is no longer whether the ERP can authenticate users, but whether it can enforce a policy, explain an action, and preserve evidence at the record level. That is where assurance will be won or lost.

For practitioners

• Eliminate direct admin authentication paths Force high-privileged PeopleSoft access through the enterprise IdP so MFA, session controls, and policy checks apply consistently to administrative accounts.
• Inventory and retire default ERP admin accounts Search for psoft, oracle, and linuxadm usage, then rotate credentials, remove unused access, and prove that no shared administrative path remains active.
• Increase telemetry depth on sensitive ERP workflows Capture field, page, and component-level activity with full session metadata so investigations can reconstruct record views, queries, and downloads.
• Audit toxic privilege combinations across business domains Identify accounts that can combine broad read access with query or admin functions across HR, payroll, financial aid, and student records, then separate those duties.
• Deploy masking for high-value records by default Apply dynamic data masking to sensitive fields such as SSNs, bank account numbers, compensation data, and health data unless explicit access is requested and logged.

Key takeaways

• This breach shows that ERP compromise often starts with identity and application control failures, not just an exploit in isolation.
• The scale matters because more than 300 PeopleSoft instances and over 100 organisations were affected, with confirmed data theft already visible in the public record.
• The controls that would have changed the outcome are direct admin path removal, granular application logging, and data masking on sensitive records.

Key terms

• Application-layer monitoring: Monitoring that records what users and accounts do inside the application, not just whether they reached the host or network. In ERP systems, it captures actions such as record views, queries, exports, and privilege changes, which is often the only way to spot legitimate-looking abuse at scale.
• Toxic privilege combination: A set of permissions that becomes disproportionately dangerous when held together by one identity. In ERP environments, this often means broad read access combined with query, export, or administration rights across sensitive business domains, creating a much larger blast radius than the individual entitlements suggest.
• Direct authentication bypass: A control gap where privileged users can log in to an application without passing through the central identity provider. That bypass breaks consistent MFA, conditional access, and lifecycle governance, leaving one of the most sensitive paths in the environment outside normal identity assurance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock covering the Oracle PeopleSoft exploitation campaign: ShinyHunters and the PeopleSoft vulnerability chain. Read the original.