For most of the last decade, ERP security lived in the long tail of CISO concerns. The systems were aging, but the operating assumption was that they sat behind a corporate firewall, were rarely internet-facing, and benefited from quarterly vendor patch cycles. The 2026 evidence overturns that assumption.
Between 27 May and 9 June 2026, a critical zero-day in Oracle PeopleSoft was actively exploited in the wild before any patch existed. Oracle published its advisory on 10 June 2026, identifying the flaw as CVE-2026-35273 — a remote code execution vulnerability in the Environment Management component scored 9.8 on the CVSS v3.1 scale. Google Threat Intelligence Group, drawing on Mandiant incident-response data, attributed the campaign to the actor publicly tracked as ShinyHunters and observed exploitation across more than 100 organizations and more than 300 PeopleSoft instances. Roughly 68% of impacted organizations were in higher education. The dataset leaked from the campaign, indexed by Have I Been Pwned, contains approximately 455,000 unique email addresses. These figures are reported by The Hacker News, TechCrunch, CSO Online and Google Cloud / Mandiant.
The PeopleSoft incident is one data point, but it confirms a pattern that ERP and security teams already see across SAP ECC and S/4HANA, JD Edwards, Microsoft Dynamics AX, Oracle E-Business Suite and Infor Lawson estates: legacy ERPs concentrate identity, finance, payroll and customer data in a single attack surface that is hard to patch quickly and even harder to monitor with modern tooling. When a critical CVE drops, the gap between disclosure and a tested production patch is measured in days for some buyers and months for others. Attackers know which buyers are which.
Three structural conditions make legacy ERPs attractive to financially motivated and state-aligned actors alike.
The first is **internet exposure that nobody intended**. Modules like PeopleSoft Environment Management, SAP ICM, Oracle Forms Servlet and ERP integration middleware are routinely reachable from the public internet because they were exposed years ago for a partner integration, a remote administrator, or a since-decommissioned project — and never closed. Shodan and Censys scans across 2024–2026 consistently show tens of thousands of ERP components advertising themselves on default ports.
The second is **slow, brittle patching**. Major ERPs require coordinated downtime, regression testing against customizations, integration smoke tests and change-advisory approvals. A 9.8 CVE that a SaaS team would patch the same day can sit in a legacy ERP change queue for two to six weeks. During that window the system is an open door.
The third is **the data concentration itself**. A single compromised ERP can yield identity records, finance and HR data, vendor master data, and the integration credentials reused across the rest of the estate. The ShinyHunters PeopleSoft campaign reportedly favored higher-education tenants, but the same exposure pattern exists in any sector where ERPs were customized once and forgotten.
Treat legacy ERP security as a program, not a project. The six tracks below run in parallel; none of them is optional.
Start with a comprehensive inventory of every ERP system, version, support status, hosting location, custom code base, integration topology and public-facing surface. Pair the inventory with an external attack-surface scan to detect ERP components reachable from the internet. Decommission, firewall or VPN-gate everything that has no business being public. For PeopleSoft specifically, Environment Management and other rarely-used administrative components should never be reachable from the internet — Oracle's own hardening guidance has said so for years.
Isolate the ERP into its own segment with explicit allow-lists for the user populations, integrations and admin tools that legitimately need access. Block east-west movement from general-purpose corporate subnets. Where the ERP integrates with other systems, route those connections through a controlled iPaaS or API gateway rather than direct trusts, so that an integration compromise does not equal an ERP compromise.
Move ERP patching from an internal change queue to a managed service with a written SLA. A realistic 2026 target for critical vendor advisories is **48 hours to test, 7 days to production** on cloud-hosted ERP and **14 days to production** on on-prem with significant customization. Slower than that, and you are betting against attackers who weaponize advisories within hours. Faster than that on heavily customized estates risks breaking the business — which is why a senior partner sets the cadence per system rather than promising a single number across the portfolio.
Most legacy ERPs do not natively emit the telemetry a modern SOC needs. Bridge the gap with ERP-aware log forwarders, identity-event collection, database audit logs and a 24/7 MDR (Managed Detection and Response) service that knows what normal ERP behavior looks like — and what the early signals of an ERP-targeted intrusion look like. Generic EDR is necessary but not sufficient: ERP attacks live in application-layer logs that EDR does not see.
Modernization is the only durable answer. Sunset what you can, lift-and-shift what you must, and replatform the rest. A realistic phased plan for a mid-market enterprise: 6 months to land on a vendor-supported version on cloud infrastructure, 12–18 months to replace heavy customizations with extension platforms, 24–36 months to retire the legacy core. The cloud destination matters less than the cadence; what kills modernization programs is the temptation to do everything at once.
Assume breach. Ensure ERP backups are immutable, encrypted, off-network and **tested end-to-end at least quarterly** — including a full restore of the application tier, not just the database. The 2026 ransomware playbook routinely targets backup infrastructure first; the playbook only fails when the backup posture is rehearsed.
A senior nearshore partner closes two gaps most internal teams cannot close quickly: 24/7 monitoring coverage, and ERP-specific patching capacity that does not compete with everything else on the internal roadmap. Operating from Casablanca on UTC+1, our security and platform teams overlap fully with European business hours and stretch into the East Coast morning, which keeps detection and patch windows short without overnight staffing premiums. We staff certified PeopleSoft, SAP, Dynamics and Oracle E-Business engineers alongside the security practice, so the same partner can run the MDR shift and ship the patch — a separation of duties that often slows internal programs.
For buyers comparing geographies, our take on [why Morocco for nearshore engineering](https://callitdev.com/en/why-morocco) explains the broader case; for the specific ERP modernization scope, our [enterprise software and ERP modernization practice](https://callitdev.com/en/services/digital-studio/enterprise-portals), the [cybersecurity and application security practice](https://callitdev.com/en/services/digital-studio/cybersecurity-appsec), and the [cloud and DevOps modernization practice](https://callitdev.com/en/services/digital-studio/cloud-devops) are the three pages that map most directly to the playbook above.
A defensible ERP posture in 2026 has six observable properties. First, every ERP instance is in a current inventory with a named owner. Second, no ERP administrative component is reachable from the public internet. Third, the ERP lives in its own segment with explicit allow-lists. Fourth, critical vendor advisories reach production within the SLA above, with an auditable record per system. Fifth, an MDR with ERP-aware detection runs 24/7. Sixth, backups are immutable and a full restore was rehearsed within the last 90 days.
If your current posture is missing two or more of those properties, you are exposed to the same pattern that the PeopleSoft campaign exploited — regardless of the specific vendor on your stack.
One of the reasons legacy ERP security stalls is that the program is hard to scope at board level. Numbers help. For a mid-market enterprise running one major ERP and two satellite systems, a defensible 12-month program lands in the following ranges in 2026, based on the engagements we deliver from Casablanca.
External attack-surface management and the initial inventory: roughly €18,000 to €35,000 of one-off work, including a vendor-led discovery, a hardening assessment of the ERP estate and a documented exposure-reduction backlog. Network segmentation work: €25,000 to €70,000 depending on the existing topology and whether identity-aware proxying is already in place. Managed patching with the 48-hour-test, 7-day-prod SLA on cloud-hosted ERP: €4,500 to €12,000 per ERP per month, scaling with customization weight and release cadence. ERP-aware 24/7 MDR: €6,000 to €15,000 per month for the SOC retainer plus a small per-instance ingestion fee. Backup hardening and quarterly restore rehearsals: €15,000 to €40,000 of one-off work plus €2,000 to €5,000 per quarter for the rehearsal. Phased modernization is sized separately as a capital project, typically €350,000 to €1.2M over 24-36 months for a single ERP suite of replatforming and customization replacement.
These are honest numbers, not anchoring numbers. A vendor that proposes materially less than the lower end on a comparable scope is either subsidizing the engagement to win logos or — more likely — under-resourcing the workstream and accepting tail risk on your behalf.
The internal team retains four things and outsources the rest. Internally retained: the named ERP business owner per system, the change-advisory board, the data-classification authority, and the breach-decision authority. Outsourced to the managed partner: the patching cadence and execution, the 24/7 MDR shifts, the segmentation engineering, the backup rehearsal, the modernization architecture and delivery, and the metrics reporting that feeds quarterly board updates.
Two cadences matter. Weekly: a 30-minute joint operations call covering open advisories, in-flight patches, incident-response events from the prior week and modernization milestones. Quarterly: a written executive report covering SLA attainment per system, advisory close rate, MDR incident summary, restore-rehearsal evidence, and modernization budget burn against plan. The discipline is in the cadence; programs that meet weekly and report quarterly survive leadership transitions, audits and budget reviews.
If you read this and want to move, here is the starting shape. Days 1-30: lock the inventory, run the external attack-surface scan, identify and close the two or three highest-impact internet exposures, and stand up the joint operations cadence with a managed partner. Days 31-60: sign the managed-patching SLA, complete the first joint patch cycle end-to-end including production go-live, and onboard ERP log sources into the MDR. Days 61-90: deliver the first segmentation milestone, complete the first quarterly restore rehearsal with documented evidence, and present the first executive report to the board.
That ninety-day shape closes more than half of the residual exposure most legacy ERP estates carry, before any modernization spend is committed. The remaining exposure is then sized into a capital-grade modernization program with a realistic 24-36 month horizon.
The PeopleSoft incident is not an indictment of Oracle, of higher education, or of on-prem ERP as a category. It is a reminder that legacy systems concentrating identity, finance and customer data require active operational discipline, not the passive trust that the perimeter once provided. The buyers who treat ERP as critical infrastructure — and resource it accordingly — will not be the ones in next quarter's incident-response report.
${CTA_ERP}
CVE-2026-35273 is a critical remote code execution flaw in the Oracle PeopleSoft Environment Management component, scored 9.8 on the CVSS v3.1 scale. Oracle published the advisory on 10 June 2026. It matters because exploitation was observed in the wild from 27 May to 9 June 2026 before any patch existed, confirming that legacy ERPs are now actively targeted zero-day frontiers, not just patch-management problems.
Google Threat Intelligence Group and Mandiant observed exploitation across more than 100 organizations and more than 300 PeopleSoft instances, with roughly 68% of impacted organizations in higher education. The disclosed dataset, indexed by Have I Been Pwned, contains approximately 455,000 unique email addresses. Figures are reported by The Hacker News, TechCrunch, CSO Online and Google Cloud/Mandiant.
Not in one step. The realistic phased plan is 6 months to land on a vendor-supported version on cloud infrastructure, 12-18 months to replace heavy customizations with extension platforms, and 24-36 months to retire the legacy core. Trying to do it in one program is the most common failure pattern. In the meantime, the six-track playbook (inventory, segmentation, managed patching, MDR, phased migration, tested backups) closes the gap.
For critical vendor advisories, 48 hours to test and 7 days to production on cloud-hosted ERP, and 14 days to production on on-prem with significant customization. Slower than that and you are betting against attackers who weaponize advisories within hours. Faster than that on heavily customized estates risks breaking the business — which is why the cadence is set per system.
Generic EDR is necessary but not sufficient. ERP attacks live in application-layer logs, identity events and database audit trails that EDR does not see. A 24/7 MDR with ERP-aware detection content is required to catch the early signals of a PeopleSoft, SAP, Oracle EBS or Dynamics intrusion.
We run the inventory, segment the network, manage the patching cadence under SLA, operate 24/7 MDR with ERP-specific detection, and execute the phased cloud migration with certified PeopleSoft, SAP, Dynamics and Oracle EBS engineers. The same partner runs the MDR shift and ships the patch, which keeps detection and remediation windows short.
Yes, if it is treated as critical infrastructure: current inventory with named owners, no admin components on the public internet, dedicated network segment, contractual patching SLA, 24/7 MDR, and immutable backups with a rehearsed restore within the last 90 days. Missing two or more of those properties leaves you exposed to the same pattern that the 2026 PeopleSoft campaign exploited.
CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777