PeopleSoft exploitation: what it means for access control teams

TL;DR: Attackers are exploiting PeopleSoft at scale, with more than 300 instances reportedly compromised by June 10, 2026, according to Pathlock, and the broader pattern is familiar: low-level access can become privilege escalation when access controls are weak. The real issue is not just patching, but whether application access governance can contain abuse after initial entry.

NHIMG editorial — based on content published by Pathlock: May Patch Tuesday roundup, including PeopleSoft exploitation and SAP S/4HANA risk

By the numbers:

• Attackers are exploiting PeopleSoft, with 300+ instances compromised as of June 10, 2026.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: What breaks when low-level ERP access can be escalated into sensitive business actions?

A: The control boundary breaks.

Q: Why do ERP vulnerabilities create identity governance problems as well as security problems?

A: Because attackers rarely need full admin access to cause damage.

Q: How do security teams know whether application access is too broad?

A: Look for identities that can perform multiple sensitive steps in one workflow, especially request, approve, and execute combinations.

Practitioner guidance

• Map escalation paths inside ERP roles Identify where low-level PeopleSoft or ERP accounts can chain into high-value functions through inherited roles, nested permissions, or workflow access.
• Review segregation of duties at the transaction level Test whether the same identity can request, approve, and execute sensitive actions in the application.
• Pair patching with entitlement cleanup Treat the vulnerability as a trigger for access review, not just remediation.

What's in the full analysis

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• The specific vulnerability context behind the May Patch Tuesday roundup and how it affects SAP S/4HANA.
• Pathlock’s original guidance on why low-level access can be used to elevate privileges inside enterprise applications.
• The vendor’s full framing of the patching and access-control actions it expects security teams to prioritise.
• The surrounding article context for the broader Patch Tuesday set, including Windows Netlogon and DNS coverage.

👉 Read Pathlock's article on the PeopleSoft exploitation pattern and patching priorities →

PeopleSoft exploitation: what it means for access control teams?

Explore further

View Full Forum →  |  NHI Foundation Course →