Emerging ThreatsMalware & Ransomware

ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach 100 Orgs

Analyst 207||Source: TheRegister
University building with modern architecture, slightly ajar door hinting at vulnerability.

"University of Nottingham on our leak site is one of the first publicly confirmed incidents," a ShinyHunters spokesperson told The Register.

ShinyHunters' claim and CVE-2026-35273

Data theft and extortion group ShinyHunters says it has exploited a critical Oracle PeopleSoft bug as a zero-day to compromise more than 100 organizations across roughly 300 vulnerable instances. The group told The Register it used CVE-2026-35273, a vulnerability rated 9.8 on the CVSS scale, which the advisory describes as allowing remote, unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools and fully take over the platform.

University of Nottingham: what was taken and how the leak unfolded

ShinyHunters posted the University of Nottingham on its data leak site on Tuesday and published the stolen files later the same day. The group told The Register it exploited CVE-2026-35273 to break into the university’s PeopleSoft system and steal 40 GB of personal data and billing records belonging to "hundreds of thousands of current and former students." The Register reported the files were published after the university did not meet an extortion demand; the outlet described that timing as "presumably because the school refused to pay the extortion demand."

Oracle, mitigations, and Mandiant's public warning

One day after ShinyHunters leaked the University of Nottingham material, the university confirmed the breach and Oracle issued an out‑of‑band security alert, The Register reported. It is unclear from the published record whether Oracle has issued a patch to fix CVE-2026-35273; The Register said it reached out to Oracle and did not receive a response. Google-owned Mandiant Chief Technology Officer Charles Carmakal posted on LinkedIn that PeopleSoft was one of two zero-days "actively being exploited in the wild." Carmakal wrote that "Oracle released mitigations" and that "Patches should come soon." The other zero-day he named is a Cisco Catalyst SD‑WAN Manager vulnerability.

How technologists, higher‑education administrators, and affected individuals are likely to respond

  • Technologists and security teams: teams running PeopleSoft Enterprise PeopleTools will be watching for and applying any Oracle mitigations and forthcoming patches; they will also be focused on identifying internet‑facing PeopleSoft instances reachable via HTTP, given the advisory that attackers can gain full platform takeover through that vector.
  • Higher‑education administrators and PeopleSoft customers: institutions that use PeopleSoft for student records, billing, payroll, HR and supply chains will be auditing access to student and billing databases and preparing incident notifications — the University of Nottingham confirmed a breach of student personal and billing records and the group said it has begun outreach to affected organisations and is "actively looking to reach an agreement with affected orgs."
  • Affected students and former students: those whose records were among the 40 GB that ShinyHunters says it stole from the University of Nottingham should expect their personal and billing information may be exposed and watch for official communications from the university or other PeopleSoft customers that confirm compromise.

Outstanding specifics and immediate risks

Several concrete questions remain unanswered in the record published by The Register: ShinyHunters did not say when it plans to publish the additional roughly 100 claimed victims; Oracle's alert exists but the public record does not confirm whether a full patch is available; and The Register's attempt to get comment from Oracle produced no response. In the meantime, the combination of a high‑severity (9.8 CVSS) vulnerability that permits full platform compromise over HTTP and an extortion group claiming outreach to scores of victims presents a narrow window in which unpatched, internet‑accessible PeopleSoft instances are at elevated risk.

The facts the record offers are stark: a criminal group claims large‑scale exploitation of a widely used enterprise platform; a university reported a substantial theft of student and billing records; and a major security vendor's CTO publicly warned that PeopleSoft was being actively exploited while saying mitigations exist and patches are expected. Whether those mitigations and patches arrive fast enough — and whether organisations operating PeopleSoft environments find and secure the roughly 300 instances ShinyHunters says were vulnerable — will determine how broadly this incident spreads.

Original report

Data BreachEmerging ThreatsNation-State ActorsRansomwareShinyhuntersSupply ChainZero-DayEducation SectorOracle PeoplesoftCVE-2026-35273
Related Intelligence

Continue Reading

Rows of computer servers and database systems in a brightly-lit, empty office or server room.

Oracle Discloses Zero-Day Flaw in PeopleSoft Exploited in Data Theft Attacks

A critical zero-day flaw in Oracle PeopleSoft, known as CVE-2026-35273, has been exploited by hackers to steal sensitive data from over 100 organizations, with a staggering 300 instances affected. Oracle has issued emergency mitigations and is working on a patch to address this highly vulnerable issue.

Analyst 207
Laptop screen and internal components on a cluttered desk in a dimly lit room.

Microsoft Zero-Day Exploit Bypasses BitLocker Encryption

A security researcher known as Nightmare Eclipse has made a startling discovery, unveiling exploit code called GreatXML that can bypass Microsoft's BitLocker encryption on systems that have run a Microsoft Defender Offline scan. This accidental find took just four hours to uncover, leaving many to wonder about potential vulnerabilities.

Analyst 207
Rows of computer servers and equipment in a brightly-lit, modern technology facility.

Gentlemen Ransomware Spreads Globally, Targets 478 Victims

Meet The Gentlemen, a notorious ransomware group with a sprawling affiliate program that's left 478 victims in its wake, exploiting modern vulnerabilities with alarming speed and flexibility. Led by a single Russian-language operator, LARVA-368, this cybercrime powerhouse has been wreaking havoc since March 2025.

Analyst 207
Rows of computer servers and storage equipment in a brightly-lit server room.

VRChat Breach Exposes Data of 2.4M Users

A massive data breach at VRChat has exposed the sensitive information of over 2.4 million users, leaving them vulnerable to potential cyber threats. This alarming incident highlights the importance of online security and data protection.

Analyst 207