When the HR System Becomes the Attack Surface

 AI Cybersecurity, News Analysis, Zero-Day


One hundred organizations. Sixty-eight percent of them universities. A score of 9.8 out of 10.

Those three numbers came out of a single vulnerability discovered in Oracle's PeopleSoft last week, and they are worth sitting with before moving on to the next headline.

PeopleSoft is not an obscure piece of software. It is what large organizations use to manage payroll, HR records, student data, and financial operations. The kind of system that holds everything about everyone inside an institution. When a flaw is found there, it is not a technical incident. It is a structural exposure.

The vulnerability, catalogued as CVE-2026-35273, carried a CVSS score of 9.8. That is near the top of the scale. What makes it particularly serious is not just the score. It is the conditions required to exploit it: none. No login. No user interaction. An attacker with network access to the server can take control of it remotely. The door does not need to be unlocked. It was never installed.

The group behind the attacks, ShinyHunters, did not wait for Oracle to issue a patch. They moved before the advisory was published, sometime between May 27 and June 9. Google Mandiant notified more than 100 potentially affected institutions after the fact. By then, data from some of them had already appeared on ShinyHunters' leak site. The University of Nottingham confirmed that records belonging to approximately 455,000 current and former students had been exposed, including names, email addresses, passport numbers, and ethnicity data.

What stands out to me is the timeline. The attackers knew about the vulnerability before the vendor did, or at minimum, before the vendor was ready to say anything. That gap, between discovery and disclosure, is where the damage happens. And that gap is getting shorter on the attacker's side, not the defender's.

This is precisely what I write about in Mythos AI Shock. The threat is not always a sophisticated intrusion into a hardened system. Sometimes it is an organization trusting that a vendor's software is safe, while the vendor is still writing the patch.

A password would not have stopped this. A firewall configuration would not have stopped this. What stops this kind of attack is behavioral detection, the ability to recognize that something in the environment is acting in a way that does not match its established rhythm, before the data leaves the building.

If you are responsible for an organization that uses enterprise HR or financial software, this week is a good time to ask your IT team one question: how would we know if someone had already been inside?

The Kindle edition of Mythos AI Shock is available on Amazon: https://www.amazon.com/dp/B0H3R5JR8S

Steve Yun
Author, Mythos AI Shock

Comments

Post a Comment

Popular posts from this blog

The Most Powerful AI in the World Just Went Offline. Here Is What That Means.

 The U.S. Government Just Banned Foreign Access to Mythos. Here Is What That Actually Means. On June 12, the U.S. Department of Commerce sent an urgent notice to Anthropic. The message was direct. Mythos 5 and Fable 5, the company's most advanced AI models, were now subject to export controls. All foreign nationals were to be cut off immediately. Not just users accessing the models from abroad. Foreign nationals inside the United States. Foreign employees working at Anthropic's own offices. All of them, blocked within hours of the order. Anthropic complied and shut the services down. The headline describes a government action. What the pattern behind it means is something different. The U.S. government does not invoke export controls against a software product without a specific trigger. According to Axios, a company came forward claiming it had found a way to bypass Mythos's safety barriers. The Commerce Department reviewed that claim and moved within hours. The admini...
Read more