CVE-2026-35273 — a zero-day in Oracle PeopleSoft PeopleTools — has been exploited in a campaign that potentially infiltrated the networks of more than 100 organizations, with higher education accounting for the largest share of exposed instances.
CVE-2026-35273 and Oracle PeopleSoft PeopleTools
Security research and incident response teams trace the campaign to a defect identified as CVE-2026-35273 in Oracle PeopleSoft PeopleTools. According to reporting, the vulnerability "allows unauthenticated attackers to execute remote code and takeover affected servers." Oracle disclosed the flaw publicly on Wednesday and recommended "some steps for mitigation," but as of the report the vendor had not released a patch and did not respond to a request for comment.
ShinyHunters' campaign and timeline
Mandiant and Google Threat Intelligence Group said they became aware of the activity earlier in June while monitoring ShinyHunters operations. Mandiant places the onset of the attacks at least as far back as May 27. The threat group ShinyHunters claims it hacked more than 100 organizations, and began naming victims and publishing allegedly stolen data on Tuesday. Charles Carmakal, chief technology officer at Mandiant Consulting, told CyberScoop: "This campaign is still active. We have observed ShinyHunters sending extortions as recently as today." Carmakal also warned that more victims, beyond Google's visibility, may be impacted.
Scope of impact: universities and student data
Google told researchers it alerted more than 100 organizations of potentially vulnerable endpoints, and reported that most of the potential victim pool is based in the United States with 68% belonging to the higher education sector. One confirmed target named in the disclosures, the University of Nottingham, said on Wednesday that a significant amount of student data was stolen during a cyberattack after ShinyHunters leaked some of the school's data.
Responses from Mandiant, Google, and Oracle
Google and Mandiant notified organizations that their monitoring linked ShinyHunters activity to exposed PeopleSoft instances. Google declined to confirm how many organizations had been compromised, saying only that it had alerted more than 100 potentially vulnerable customers. Oracle issued a public disclosure and recommended mitigation steps on Wednesday, but had not issued a software patch by the time of the report and did not respond to a request for comment from the reporting outlet.
What this means for technologists, university IT leaders, and students
- Technologists and security teams: With an identified unauthenticated remote-code-execution vulnerability in PeopleSoft PeopleTools and no vendor patch yet available, teams should review Oracle's published mitigation steps and search for exposed PeopleSoft endpoints. Mandiant and Google both flagged the campaign and timeline, underscoring that active exploitation began as early as May 27 and continued into June.
- University IT leaders and procurement teams: Higher education is disproportionately represented in Google's count (68% of the potential pool). IT leaders will need to verify exposure of PeopleSoft instances, respond to any extortion communications, and remediate confirmed compromises; the University of Nottingham has already confirmed significant student data theft following a leak.
- Students and affected individuals: The leak confirmed by at least one university demonstrates that student records are a live target of this extortion campaign. Affected individuals should expect notification from institutions and take standard steps prescribed by those institutions when personal data is compromised.
Less than a year after a different Oracle product — E-Business Suite — was exploited by the Clop ransomware group, this episode reinforces a pattern reported in the source: Oracle products have been targeted through unpatched flaws with subsequent data-theft extortion campaigns. In the earlier E-Business Suite incident, attacks began in August and the associated extortion campaign did not start until October.
The immediate facts are clear: a zero-day in PeopleSoft PeopleTools has been publicly disclosed only after active exploitation, multiple organizations were potentially exposed — many in U.S. higher education — and at least one university has confirmed significant student data theft following a leak. The central open question the record leaves is operational and narrow: will Oracle issue a patch, and how many institutions beyond those Google and Mandiant can see have been compromised as extortion efforts continue?
Original reporting: https://cyberscoop.com/oracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion/
