Oracle Issues Urgent Warning on PeopleSoft Zero-Day CVE-2026-35273: ShinyHunters Breaches 100+ Organizations, Primarily Universities

On June 10, 2026, Oracle published an urgent out-of-band security alert addressing CVE-2026-35273, a critical zero-day vulnerability in the Environment Management component (PSEMHUB) of Oracle PeopleSoft Enterprise PeopleTools. The flaw carries a CVSS base score of 9.8 and affects versions 8.61 and 8.62 — and possibly earlier unsupported releases. Because the vulnerable component requires no authentication to exploit, an attacker with simple HTTP network access can achieve full remote code execution and complete control over the affected system without any user credentials or interaction.

Oracle credited researchers Bobby Gould of TrendAI Zero Day Initiative, along with colleagues from TrendAI Research, with discovering and reporting the vulnerability. The company has released emergency mitigation guidance while a full patch is forthcoming, though the patch availability document is currently accessible only to customers with an Oracle support account.

The advisory arrived one day after BleepingComputer first reported that the notorious data theft and extortion group ShinyHunters had claimed to have compromised over 300 PeopleSoft instances belonging to more than 100 organizations. The attackers reportedly chained old and zero-day vulnerabilities together to gain access, targeting both on-premises and cloud-hosted deployments. According to Mandiant, threat actors exploited the vulnerability before Oracle’s June 10 advisory was published, making it a confirmed zero-day in active exploitation.

Mandiant CTO Charles Carmakal confirmed the zero-day exploitation publicly and noted that Oracle had released mitigations, with patches expected soon. His team’s investigation found that threat actors deployed customized MeshCentral remote management agents disguised as Microsoft Azure services, used attacker-controlled infrastructure to stage tools, and conducted systematic reconnaissance across compromised environments. Ransom notes were left in public directories of breached servers, and stolen databases and log files were subsequently leaked.

The most prominently confirmed victim is the University of Nottingham in the United Kingdom, whose Oracle Campus Solutions student records system — a PeopleSoft-adjacent platform — was breached. ShinyHunters posted the university on its data leak site on June 9, 2026, and published approximately 40 GB of stolen files after the institution reportedly declined to pay the extortion demand. The university confirmed the incident on June 10 and stated it had notified affected individuals and relevant regulatory bodies including the ICO and Action Fraud.

Breach notification service Have I Been Pwned analyzed the leaked data and confirmed it contained approximately 455,000 unique email addresses tied to current students and alumni, along with extensive personal information including names, home and postal addresses, phone numbers, ethnicities, disabilities, passport numbers, national insurance numbers, financial information, and academic enrollment and fee payment records. ShinyHunters also claimed that the university’s Malaysia and China campuses were compromised.

The concentration of attacks on higher education institutions is consistent with known patterns: universities frequently run complex, legacy-adjacent ERP systems that are slow to patch, maintain large volumes of sensitive personal data, and often expose management interfaces to the public internet. These characteristics make them disproportionately attractive targets for exploitation campaigns of this nature.

ShinyHunters has been increasingly active in 2026, having also been linked earlier in the year to breaches at Harvard University, the University of Pennsylvania, and the edtech firm Instructure (Canvas LMS). The group’s tactics in the PeopleSoft campaign — chaining old vulnerabilities with a new zero-day, deploying disguised remote management tools, and threatening public data leaks as leverage — reflect a high degree of operational sophistication.

Mandiant CTO Charles Carmakal also flagged that CVE-2026-35273 is one of two zero-day vulnerabilities actively being exploited in the wild at this time — the other being a separate flaw in Cisco Catalyst SD-WAN Manager. Organizations running PeopleSoft should treat this as a critical priority regardless of whether they believe their deployment is internet-accessible, as network topology assumptions have proven incorrect in previous incidents of this type.