ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach 100+ Organizations — Half a Million University Records Exposed

A critical zero-day in Oracle PeopleSoft Enterprise PeopleTools is being actively exploited, and the ShinyHunters cybercrime group has claimed responsibility for breaching more than 100 organizations using it — with universities accounting for a disproportionate share of confirmed victims. Oracle issued an out-of-band emergency security alert for CVE-2026-35273 today; organizations running PeopleSoft PeopleTools 8.61 or 8.62 should treat this as an immediate remediation priority.

The flaw carries a CVSS 3.1 base score of 9.8 — a critical rating that reflects unauthenticated remote code execution with a network-accessible attack vector. An attacker with no prior credentials can reach a vulnerable PeopleSoft server over the internet and execute arbitrary operating system commands. No user interaction is required. The combination of unauthenticated access and remote code execution at this scale of deployment makes CVE-2026-35273 among the most serious enterprise software vulnerabilities disclosed this year.

Who's Using PeopleSoft and Why This Matters

Oracle PeopleSoft is one of the largest enterprise software platforms in the world, widely deployed in higher education, healthcare, government, and large enterprises for HR, student information systems, financials, and supply chain management. The higher education sector's concentration in the victim list is not accidental: universities are among the largest PeopleSoft deployments globally, many of them running on-premises or in private cloud configurations that may lack the network segmentation that would limit lateral movement after initial compromise.

The University of Nottingham has confirmed it suffered a cyber incident and is investigating the extent of data access. ShinyHunters claims to have exfiltrated tens of gigabytes of data from the Nottingham breach, including personal and academic records for nearly half a million current and former students — names, addresses, phone numbers, ethnicities, disabilities, passport numbers, academic enrollment status, and fee payment records. The university has not confirmed the full scope of the breach, and investigation is ongoing.

What ShinyHunters Is Doing

ShinyHunters is a financially motivated cybercrime group that has been active since at least 2020 and has been linked to some of the largest data thefts in recent years, including the Ticketmaster/Snowflake breach that exposed 560 million records in 2024 and a string of attacks against academic and healthcare institutions. The group's operational pattern is consistent: identify a high-value target running exploitable software, exfiltrate sensitive data, and then attempt to monetize it through ransomware demands or data sale on dark web markets.

In the current campaign, security researchers have found exposed attack infrastructure containing MeshCentral agents — a remote access tool — and credential spraying scripts, indicating that ShinyHunters is both maintaining persistent access to compromised systems and attempting to pivot to additional targets using harvested credentials.

CVE-2026-35273 is the primary entry point, but ShinyHunters is also exploiting older known vulnerabilities in unpatched PeopleSoft deployments as secondary vectors. The implication is that patching CVE-2026-35273 alone is necessary but not sufficient — organizations should audit their PeopleSoft deployments for all outstanding patches across the version history.

What Oracle Has Done

Oracle issued an emergency security alert for CVE-2026-35273 today outside its normal quarterly Critical Patch Update schedule, indicating the severity and active exploitation status warranted an unscheduled release. The alert provides mitigations and, for customers with active support contracts, guidance on patch availability.

Oracle's standard practice of restricting detailed patch documentation to customers with support contracts has drawn criticism in some security circles, particularly in higher education where budget constraints mean many institutions run older software versions on lapsed support contracts. Mandiant CTO Charles Carmakal, who has been tracking the ShinyHunters campaign, issued a public warning about CVE-2026-35273 and encouraged all organizations running PeopleSoft to verify they have applied every available mitigation even if a full patch is not yet accessible.

The CISA Response

CISA separately issued Binding Operative Directive 26-04 today, which changes how federal civilian agencies must approach vulnerability management. The directive mandates that agencies prioritize remediation based on exploitability and impact risk, and that they assess whether a system has already been compromised before applying patches — a recognition that in some cases attackers establish persistence before patches are available, and patching without first checking for existing compromise can obscure an active intrusion.

BOD 26-04 applies to federal civilian agencies (FCEB) directly, but CISA issued it partly in the context of the accelerating speed at which AI-enabled attack tools shorten the window between vulnerability disclosure and widespread exploitation. The CVE-2026-35273 campaign — where ShinyHunters breached over 100 organizations before Oracle could issue its emergency alert — is a direct illustration of that dynamic.

What to Do Right Now

If your organization runs Oracle PeopleSoft PeopleTools 8.61 or 8.62 (or older unsupported versions), the immediate actions are:

1. Apply Oracle's emergency mitigations now. Log in to Oracle's support portal (support.oracle.com) and access the security alert for CVE-2026-35273. Apply all available mitigations immediately — do not wait for a scheduled maintenance window.
2. Audit for indicators of compromise before patching. Following CISA's guidance from BOD 26-04: check PeopleSoft application and web server logs for anomalous activity, unexpected user account creation, unauthorized outbound connections, and the presence of MeshCentral agent installations or unexpected scheduled tasks. If evidence of compromise exists, involve a forensics team before applying the patch — patching on a compromised system may not eject an attacker who has achieved persistence.
3. Restrict network access to PeopleSoft servers. If PeopleSoft instances are internet-accessible without a web application firewall or VPN requirement, restrict access immediately. The attack vector is network-based unauthenticated access — reducing exposure while patching is in progress limits risk.
4. Review PeopleSoft patch history. ShinyHunters is exploiting multiple vulnerabilities, not just CVE-2026-35273. Ensure all outstanding Critical Patch Updates have been applied.

As reported by BleepingComputer and HelpNetSecurity, Oracle expects to provide additional patch availability guidance through its standard support channels within 24–48 hours.