TL;DR
ShinyHunters exploited an unpatched Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to breach over 100 organizations. Two thirds are universities. There is no patch yet.
Oracle warned customers on Thursday of a critical vulnerability in its PeopleSoft software that hackers have already exploited to breach more than 100 organizations. The flaw, CVE-2026-35273, has a CVSS score of 9.8 and can be exploited over the Internet without any authentication. Oracle has not released a patch.
The notice came a day after cybercrime group ShinyHunters claimed responsibility for the massive hacking campaign. Google’s Mandiant confirmed that the bug Oracle revealed is the same one ShinyHunters is exploiting. Mandiant said it notified more than 100 global organizations, most of them in the United States.
Approximately two-thirds of the victims are universities and colleges. A ShinyHunters member told TechCrunch that the group stole “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID.The University of Nottingham was named among the breached institutions.
The 💜 of EU technology
The latest rumors from the EU tech scene, a story from our wise founder Boris and some questionable AI art. It’s free, every week, in your inbox. Register now!
“While several organizations successfully blocked the activity or remediated the vulnerabilities, others suffered a compromise, resulting in stolen data being published on the data leak website ShinyHunters.“Mandiant wrote. Oracle did not respond to TechCrunch’s request for comment.
PeopleSoft is used by large companies and universities to manage payroll, human resources, and student records. The vulnerability affects versions 8.61 and 8.62 of PeopleTools. ShinyHunters exploited a chain of legacy and zero-day vulnerabilities to attack on-premises and cloud instances, compromising approximately 300 servers at more than 100 organizations.
The attack follows a pattern. ShinyHunters spent the last year targeting organizations that share the same vulnerable enterprise software. Previous campaigns affected companies that use sales forceGainsight and the Instructure educational platform. The group identifies the flaw, finds all the companies running the software, steals data, and demands a ransom.
Instructure paid hackers earlier this year after being breached twice. ShinyHunters also defaced schools’ login pages using Instructure’s Canvas portal. PeopleSoft’s campaign is its largest yet and is ongoing. Oracle recommended mitigations but has not said when a patch will be available.
For any organization running PeopleSoft, the immediate action is to apply Oracle mitigations and restrict Internet access to PeopleSoft servers. The broader lesson is one that the enterprise software industry continues to relearn: When a critical zero-day affects software used by hundreds of large organizations, the attacker only needs to find it once. AI makes vulnerability discovery cheaper. Defenders fixing those flaws aren’t getting any faster. And groups like ShinyHunters are industrialize the exploitation of each window between disclosure and solution.
