Notifications
Clear all
Topic starter
12/06/2026 9:35 pm
TL;DR: ShinyHunters exploited Oracle PeopleSoft vulnerabilities across more than 300 instances at over 100 organisations, with higher education hit hardest, according to Pathlock. The breach shows that ERP platforms still fail when application-layer monitoring, admin credential control, and data masking are missing.
NHIMG editorial — based on content published by Pathlock covering the Oracle PeopleSoft exploitation campaign: ShinyHunters and the PeopleSoft vulnerability chain
By the numbers:
- ShinyHunters exploited Oracle PeopleSoft vulnerabilities across more than 300 instances at over 100 organizations worldwide.
Questions worth separating out
Q: What breaks when ERP admin accounts can bypass central identity controls?
A: When ERP administrators can authenticate outside the IdP, MFA, conditional access, and session governance no longer apply uniformly.
Q: Why do legacy ERP systems increase identity and access risk?
A: Legacy ERP systems often concentrate sensitive data, broad entitlements, and older authentication patterns in one environment.
Q: How can teams tell whether ERP access controls are actually working?
A: Measure whether high-privilege accounts are forced through the IdP, whether sensitive actions are logged at a granular level, and whether masking prevents unnecessary data exposure.
Practitioner guidance
- Eliminate direct admin authentication paths Force high-privileged PeopleSoft access through the enterprise IdP so MFA, session controls, and policy checks apply consistently to administrative accounts.
- Inventory and retire default ERP admin accounts Search for psoft, oracle, and linuxadm usage, then rotate credentials, remove unused access, and prove that no shared administrative path remains active.
- Increase telemetry depth on sensitive ERP workflows Capture field, page, and component-level activity with full session metadata so investigations can reconstruct record views, queries, and downloads.
What's in the full analysis
Pathlock's full analysis covers the operational detail this post intentionally leaves for the source:
- The specific PeopleSoft vulnerability chain and how the attacker script moved from breach to ransom delivery
- The full list of indicators of compromise, including attacker IPs, domain names, and the ransom note filename
- Step-by-step hardening actions for application-layer MFA, IP whitelisting, and dynamic masking
- Pathlock's layered control model for enforcing policy across application, transaction, and data layers
👉 Read Pathlock's analysis of the PeopleSoft exploitation campaign and controls →
PeopleSoft breach exposure: are ERP identity controls keeping up?
Explore further
12/06/2026 11:45 pm
ERP compromise is an identity governance problem before it is a vulnerability problem. The article shows attackers moving through PeopleSoft using the application's own authentication and authorisation paths, which means the breach succeeded where identity control boundaries were weakest. That shifts the governing question from patching alone to whether the ERP access model still assumes trusted admin paths and legitimate application use. Practitioners should treat ERP privilege as a governed identity surface, not a legacy exception.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when application-layer ERP data is stolen?
A: Accountability usually spans the application owner, IAM and PAM teams, and the data governance function because the failure crosses authentication, privilege control, and record protection. If direct admin paths, weak logging, or toxic entitlements were left in place, each control owner has to explain why the gap persisted. Shared systems still require named ownership.
👉 Read our full editorial: PeopleSoft breach exposure shows ERP identity controls still lag
