The Zero-Day That Hit Universities — And Why It Matters Everywhere

According to The Hacker News, a group known as ShinyHunters used an unpatched flaw in Oracle PeopleSoft to break into university networks and steal data. The vulnerability, which allows remote code execution without a login, earned a severity score of 9.8 out of 10. What makes this story significant is not just the breach itself, but the fact that the attackers exploited a zero-day in an on-premises enterprise resource planning (ERP) system — a type of software that many organisations, including those in Australia, still run without modern security controls.

Unlike attacks that target cloud services or stolen passwords, this one required direct network access to a server-side component. The bug lived in the Environment Management Hub, a piece of PeopleSoft that is often left exposed to the internet for convenience. When attackers found it, they could take over the entire system, compress data, and exfiltrate it — all before the vendor released a patch. For Australian small and mid-sized businesses running older ERP suites, this is a wake-up call about the risks hidden in legacy infrastructure.

Why the Attack Method Should Change Your Cybersecurity Priorities

The ShinyHunters campaign shows a shift in tactics. This group previously relied on vishing, stolen tokens, and weak access controls to break into cloud platforms like Salesforce and Canvas. Now they are targeting on-premises ERP software — the kind of system that often contains decades of sensitive records, from financial data to personal information. By exploiting a zero-day, they bypassed the usual defences: firewalls, intrusion detection, and even web application firewalls that can be tricked.

From a technical standpoint, the attack chain is instructive. The hackers left their own staging servers exposed, which allowed researchers to see the tools used: custom remote-management agents disguised as Microsoft Azure binaries, and a script that spread across internal hosts using hardcoded passwords. The command history showed data compressed and sent to a public leak site. This level of detail reveals that the attackers were organised and methodical. For any business running PeopleSoft or similar legacy ERP, the lesson is clear: if a critical component is reachable from the internet, it is only a matter of time before someone finds it.

What This Means for Australian SMBs

Australian small and mid-sized businesses often run ERP systems that were installed years ago and rarely updated. Many still use PeopleSoft, JD Edwards, or SAP Business One — all of which can have similar management interfaces exposed for remote support. The ShinyHunters breach demonstrates that attackers are actively scanning for these endpoints. A compromised ERP system can leak customer names, addresses, phone numbers, passport numbers, and even ethnicity or disability data, which would trigger mandatory breach notification under Australia's Privacy Act.

Because SMBs typically have lean IT teams, they may not have dedicated security monitoring. The attack on universities shows that a single unpatched component can lead to data theft affecting hundreds of thousands of individuals. For an Australian SMB, a similar breach could result in regulatory fines, loss of customer trust, and significant remediation costs. The fact that the vendor’s patch arrived after the exploitation started means that relying solely on vendor updates is not enough — proactive mitigation is essential.

What You Can Do Now

  • Block external access to administrative web interfaces such as /PSEMHUB/ and /PSIGW/ on your PeopleSoft or similar ERP systems. Use a firewall or VPN to restrict management traffic to internal networks only.
  • Check for available patches from your ERP vendor and apply them as soon as they are confirmed. Do not wait for the next scheduled maintenance window.
  • Review web server logs for unusual POST requests to endpoints like /PSEMHUB/hub or /PSIGW/HttpListeningConnector, and look for unexpected .jsp files or new folders under the application directory.
  • Restrict outbound SMB traffic (port 445) from ERP servers to the internet. Attackers can use this to capture authentication hashes and move laterally.
  • Implement multi-factor authentication for all administrative accounts and segment your network so