ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) — 100+ Organizations Breached
Google Threat Intelligence confirmed mass exploitation of an Oracle PeopleSoft zero-day by ShinyHunters; universities are the primary target and the extortion has begun.
Key Takeaways
|
An unauthenticated takeover bug in a system universities run for HR and student records — exploited quietly for two weeks before anyone outside the attackers knew.
AUSTIN, TEXAS — The extortion group ShinyHunters exploited a zero-day vulnerability in Oracle PeopleSoft, tracked as CVE-2026-35273, to breach more than 100 organizations, with universities and the broader higher-education sector singled out as the primary target. Google Threat Intelligence Group (GTIG) confirmed the campaign on June 11, 2026, reporting that the flaw was abused as an unpatched zero-day for roughly two weeks before Oracle published an emergency advisory and mitigation on June 10. The group is now actively extorting victims and has begun publishing stolen data.
The campaign fits a pattern ShinyHunters has run repeatedly through 2026: find a high-value data source, take it at scale, and turn the theft into an extortion business. The same crew was behind the Charter Spectrum breach of 42 million records and the Vimeo data breach. This time the entry point was not social engineering but a software flaw that needed no login at all.
| At a Glance | |
|---|---|
| Field | Details |
| CVE | CVE-2026-35273 |
| Severity | Critical — CVSS 9.8 |
| Type | Missing authentication for critical function (unauthenticated RCE) |
| Affected | Oracle PeopleSoft Enterprise PeopleTools 8.61, 8.62 |
| Actor | ShinyHunters (GTIG: UNC6240) |
| Observed activity | May 27 - June 9, 2026 |
| Oracle advisory | June 10, 2026 (out-of-band) |
| CISA KEV | Added June 12, 2026 |
| Scope | 100+ organizations; ~68% higher education |
The Flaw and the Exploitation
CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools, the development and runtime layer beneath PeopleSoft's HR, finance and campus-management applications. Oracle classifies it as a missing-authentication-for-critical-function flaw, and it carries a CVSS score of 9.8 out of 10. According to Rapid7, the weakness sits in the Updates Environment Management component — the piece behind the Environment Management Hub — and lets an unauthenticated remote attacker reach a critical function with nothing more than network access over HTTP, with successful exploitation leading to remote code execution and effective takeover of the server.
The combination of no required login, no user interaction, and a path to code execution is what pushes the score to the top of the scale. Oracle's advisory and subsequent reporting from SecurityWeek identify PeopleTools versions 8.61 and 8.62 as affected.
Crucially, this was a true zero-day. Google Threat Intelligence Group observed exploitation activity between May 27 and June 9, 2026 — predating Oracle's June 10 advisory — which means defenders had no patch and, in most cases, no awareness that the flaw existed while it was being abused. For roughly two weeks the only thing standing between an internet-reachable PeopleSoft instance and a full compromise was whether an attacker had found it yet.
Why Higher Education Got Hit Hardest
The most distinctive feature of this campaign is its target profile. According to GTIG, the affected organizations are concentrated in the higher-education sector, which accounts for roughly 68 percent of the confirmed victims, with US universities bearing the brunt. The Register and TechCrunch both put the total at more than 100 breached organizations, observed across hundreds of vulnerable PeopleSoft instances.
The sector skew is not coincidental. PeopleSoft is one of the most widely deployed enterprise platforms in higher education, where it underpins student information systems, payroll, financial aid and human-resources records for entire institutions. That makes a single PeopleSoft server a dense store of exactly the kind of personal and academic data an extortion group can monetize — and it makes universities, which often run large, internet-facing deployments with constrained security budgets, a uniformly attractive target.
It is also a reminder that mass exploitation no longer depends on a novel technique. As we noted when Google's threat team documented an AI-developed zero-day driving mass exploitation, a single unauthenticated flaw in a widely deployed product is enough to turn an entire sector into a target list. The number of specific universities named publicly remains limited, and the full victim roster has not been disclosed.
ShinyHunters' Extortion Playbook
GTIG, which tracks the actor as UNC6240, attributes the campaign to ShinyHunters — a financially motivated group with a long record of large-scale data theft and extortion. According to CyberScoop, the group is actively extorting the organizations it breached, and the operation follows the now-familiar steal-then-shake-down model rather than file-encrypting ransomware.
The technical tradecraft, as described by Google's researchers, was methodical: after gaining access, the attackers exfiltrated data and, in observed cases, compressed it before moving it out to infrastructure tied to the group's data-leak site. Stolen archives began appearing on that leak site, indicating that for at least some victims the extortion has moved past private demands and into public exposure.
What is not established is the full commercial picture. Specific ransom amounts have not been confirmed, the total volume of records stolen across all victims is not known, and there is no confirmed reporting that ShinyHunters is working alongside other groups in this particular campaign. The confirmed facts are narrower but serious: a financially motivated group, a working unauthenticated exploit, and stolen data already being published.
Oracle's Mitigation and What's Still at Risk
Oracle responded with urgency. According to BleepingComputer and SecurityWeek, the company published an out-of-band Security Alert for CVE-2026-35273 on June 10, 2026 — outside its regular quarterly Critical Patch Update cycle — and released a fix the same day. Any organization running PeopleTools 8.61 or 8.62 should treat applying that mitigation as an emergency change rather than a routine update.
US authorities then escalated the pressure. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog on June 12, 2026, which obligates federal civilian agencies to remediate within the directive's mandated window and signals to every other operator that the flaw is being exploited in the wild right now.
But patching alone is not sufficient given the two-week exploitation window. Because attacks were observed from May 27, any internet-reachable PeopleSoft instance that was online during that period should be treated as a potential incident-response case, not merely a system to be updated. Where an immediate fix is not feasible, the practical mitigation is to isolate exposed PeopleSoft services from the public internet until the patch can be applied and the system reviewed for signs of prior access.
Open Questions
Several material questions remain unresolved. The complete list of affected organizations has not been published, and beyond the higher-education concentration the identities of most victims are not public. The total number of records stolen across the campaign is unknown, as are any ransom amounts being demanded.
It is also unclear how many of the more than 100 breached organizations will ultimately have data published versus those that detected and contained the intrusion, and whether the victim count will grow as more institutions complete their own investigations. The specific PeopleSoft modules and configurations most exposed beyond the named PeopleTools versions have not been detailed in public reporting.
What is established is enough to act on without waiting for those answers: a CVSS 9.8 unauthenticated takeover flaw, two weeks of in-the-wild exploitation before any patch existed, a confirmed extortion campaign concentrated on universities, and stolen data already on a leak site. For any organization running an exposed PeopleSoft instance, the assumption should be compromise until an investigation proves otherwise.
