ShinyHunters Exploits Oracle PeopleSoft Zero-Day, 100+ Orgs Hit

ShinyHunters, the threat group that previously breached Ticketmaster, AT&T, and the Canvas/Instructure platform with 275 million records, has claimed over 100 new victims in a campaign exploiting an unpatched zero-day in Oracle PeopleSoft. The vulnerability, tracked as CVE-2026-35273, affects PeopleTools versions 8.61 and 8.62 and allows unauthenticated remote code execution. Oracle has not yet shipped a patch as of June 11, 2026.

Among the confirmed victims is the University of Nottingham, where approximately 500,000 current and former student records including personal data and academic records were stolen. Security researchers at Mandiant, Google Cloud's threat intelligence unit, confirmed the exploitation chain in the wild.

What CVE-2026-35273 Is and Why It Is Dangerous

CVE-2026-35273 is a remotely exploitable zero-day in Oracle PeopleSoft that requires no authentication. Attackers exploiting the vulnerability can achieve remote code execution on the underlying server — meaning full system compromise from a single unauthenticated HTTP request.

The exploitation path uses what researchers describe as a "gadget chain": a sequence combining an existing known vulnerability in PeopleTools with the new zero-day, chained together to achieve code execution. Mandiant CTO Charles Carmakal confirmed this framing, noting that the attack surface is wide because PeopleSoft is internet-facing at many universities, hospitals, and large enterprises for HR, payroll, and student administration functions.

PeopleTools 8.61 and 8.62 are the confirmed affected versions. Earlier versions may also be vulnerable — Mandiant's advisory notes that the gadget chain likely works across prior release lines, though exploitation in earlier versions has not been confirmed in observed campaigns.

ShinyHunters and the 100+ Breach Claim

ShinyHunters emerged as a major threat actor in 2020 with the Tokopedia breach and has since claimed some of the highest-profile data theft operations on record. The group operates as a financially motivated cybercriminal organization that typically sells stolen data on dark web forums or ransoms victims directly.

Their known 2026 campaign history before this operation includes the Vercel breach in April (which exposed OAuth tokens), and the Canvas/Instructure attack in May 2026 where they claimed 275 million education records. The PeopleSoft campaign follows a clear targeting pattern: enterprise and education sector software used by institutions that hold large volumes of personal data.

The claim of 100+ organizations is consistent with exploit-first campaigns where a single working zero-day is deployed against every identifiable internet-facing instance before patches exist. When authentication is not required, the attack scales horizontally across all exposed systems simultaneously. The University of Nottingham breach is the first publicly named victim, but the pattern of higher education and enterprise HR deployments suggests significant unreported exposure.

The Canvas/Instructure ShinyHunters breach we covered in May involved a similar education-sector targeting approach. The Vercel breach in April demonstrated ShinyHunters' ability to target developer infrastructure directly. This PeopleSoft campaign escalates both in severity (RCE versus data exfiltration) and in breadth.

What PeopleSoft Is and Who Uses It

Oracle PeopleSoft is an enterprise resource planning suite that has been in deployment at large organizations since the 1990s. The primary user base includes universities and colleges (student information systems, financial aid administration), large enterprises (HR, payroll, benefits management), government agencies (workforce administration), and hospitals (employee management).

The combination of PeopleSoft's age, its integration with core HR and payroll functions, and the fact that many deployments are partially internet-facing for self-service portals creates a large attack surface. Many organizations running PeopleSoft have also under-invested in upgrading to current versions because of the significant cost and complexity of major version migrations.

The irony of CVE-2026-35273 is that PeopleTools 8.61 and 8.62 are relatively recent release branches. This is not an attack on ancient software — it is an attack on actively maintained enterprise infrastructure that Oracle has not yet patched.

Developer and Security Team Immediate Actions

If your organization runs PeopleSoft, the following actions are the minimum response while awaiting an Oracle patch:

Inventory your deployments: Identify every internet-facing PeopleSoft instance. PeopleSoft deployments are often fragmented across departments — a central IT inventory may not capture them all. Check for self-service portals, external API endpoints, and integration middleware.

Restrict external access immediately: Any PeopleSoft instance that does not need to be publicly accessible should have external access removed or filtered to known IP ranges. The CVE requires unauthenticated access — network-level controls are the most immediate mitigation available before a patch ships.

Monitor for exploitation indicators: The Mandiant advisory notes exploitation via specific HTTP request patterns targeting PeopleTools servlet paths. Examine web application firewall logs and application server access logs for anomalous requests matching known exploitation signatures.

Patch aggressively when Oracle ships: Oracle's standard patch cadence is quarterly CPU (Critical Patch Update) releases. Given active exploitation, Oracle has been notified and is expected to ship an out-of-band emergency patch. Subscribe to Oracle security alerts and treat this patch as P0 when it arrives.

Assume compromise if exposed: Any internet-facing PeopleSoft instance that was accessible before this disclosure should be treated as potentially compromised. Forensic analysis of application and OS logs, credential rotation for service accounts, and review of outbound connections from the host are warranted.

The Education Sector Problem

The University of Nottingham exposure — 500,000 current and former students — is significant in both scale and sensitivity. Student records typically include names, dates of birth, contact information, enrollment data, financial aid records, and in many cases national insurance or equivalent identity numbers in the local jurisdiction.

This is the third major education sector breach in 2026 attributed to organized threat actors. Canvas/Instructure in May (275M records), this PeopleSoft operation, and ongoing targeting of student loan and financial aid systems establish a clear pattern: education is a priority target because institutions hold large, well-structured personal data with relatively immature security posture compared to financial services or healthcare.

For developers building on top of PeopleSoft integrations — common in university single-sign-on systems, library management, and accommodation platforms — the compromise of the PeopleSoft instance means any downstream system that trusts PeopleSoft identity assertions or session tokens may be affected beyond the core breach.

Our Analysis: Oracle's Patch Cadence Does Not Fit the Threat Landscape

Oracle's quarterly CPU release model was designed for a different era. When enterprise software ran on-premises behind firewalls, quarterly patching was reasonable. The transition to hybrid and cloud-connected PeopleSoft deployments — where self-service portals and API integrations require internet exposure — has fundamentally changed the risk profile.

CVE-2026-35273 is an unauthenticated RCE in software that is internet-facing at hundreds of universities and enterprises. The response timeline for an emergency out-of-band patch should be measured in days, not weeks. If Oracle ships this in the next quarterly CPU rather than as an emergency fix, that is a governance failure on Oracle's part, not just an individual organization's patch management failure.

For organizations depending on Oracle products, the lesson is structural: build network-level controls and monitoring that can respond to zero-days before vendor patches ship. The patch schedule of your software vendor cannot be the sole layer of defense.

The broader pattern with ShinyHunters is also worth noting. This group has now demonstrated the ability to acquire and weaponize zero-days against major enterprise platforms. Their 2026 campaign volume — Vercel, Canvas, now PeopleSoft — suggests either ongoing zero-day acquisition capability or active purchase from an exploit broker. Either way, enterprise security teams should treat ShinyHunters as an adversary with capabilities comparable to nation-state-affiliated groups, not just a financially motivated data broker.

Key Takeaways

• CVE-2026-35273 is an unauthenticated remote code execution zero-day in Oracle PeopleSoft PeopleTools 8.61 and 8.62 — no patch available as of June 11, 2026
• ShinyHunters claims 100+ organizations breached including University of Nottingham with ~500,000 student records stolen
• Exploitation is confirmed in the wild — Mandiant CTO Charles Carmakal confirmed the gadget chain attack path
• Immediate mitigation: remove external network access to PeopleSoft instances that do not require it; monitor for exploitation patterns at application server layer
• Education sector is the primary target — third major education data breach in 2026; PeopleSoft used widely for student information and HR functions at universities
• For developers: audit any downstream systems that consume PeopleSoft identity or session data; treat exposed instances as potentially compromised before forensics confirm otherwise
• What to watch: Oracle emergency out-of-band patch — treat as P0 deployment when shipped

Sources

• Help Net Security — Oracle PeopleSoft CVE-2026-35273 actively exploited
• BleepingComputer — ShinyHunters PeopleSoft campaign, University of Nottingham breach details
• Mandiant / Google Cloud — CVE-2026-35273 gadget chain analysis, Charles Carmakal advisory
• Oracle Security Alerts — Critical Patch Update advisory page