ShinyHunters Hacked 100+ Orgs by Exploiting an Oracle PeopleSoft 0-Day

PeopleSoft remains a backbone for HR, payroll, and student‑record management in large enterprises and universities. The newly disclosed CVE‑2026‑35273 vulnerability scores a 9.8 on the CVSS scale, granting unauthenticated attackers remote code execution via HTTP. Because the flaw affects the PeopleTools component, any organization running unpatched PeopleSoft instances is exposed to full platform takeover, making it a prime target for sophisticated cyber‑crime groups seeking high‑value data.

ShinyHunters, known for data‑theft and extortion, capitalized on the zero‑day to infiltrate more than 100 victims, with 68 percent located in the U.S. higher‑education sector. After exfiltrating 40 GB of student records from the University of Nottingham, the group posted the files publicly when the university declined to meet the ransom demand. Google’s threat‑intel team corroborated the activity, noting malicious traffic matching the vulnerability between late May and early June. The incident underscores how quickly a zero‑day can be weaponized for large‑scale data theft and extortion.

Oracle responded with an out‑of‑band security alert and temporary mitigations, but a comprehensive patch is still pending. This lag leaves thousands of endpoints vulnerable, prompting security teams to prioritize network segmentation, intrusion detection, and rapid deployment of any available work‑arounds. The episode serves as a cautionary tale for enterprises relying on legacy ERP solutions: continuous vulnerability monitoring and swift patch management are essential to prevent similar widescale compromises.