ShinyHunters Exploits Oracle PeopleSoft CVE-2026-35273 Zero-Day to Breach Universities

Oracle warned customers about CVE-2026-35273, a PeopleSoft Enterprise PeopleTools flaw with a CVSS v3.1 Base Score of 9.8 that can be exploited over the internet without needing any authentication, such as a password.

The Hacker News said ShinyHunters exploited the unpatched flaw to break into enterprise systems, steal data, and demand payment to keep it private, with activity dated between May 27 and June 9.

BleepingComputer

Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild, and Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.

The Hacker News described the vulnerability as a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10 that needs no login and no user interaction, just network access over HTTP, to take over the server.

Oracle’s guidance centered on mitigation, including disabling the Environment Management Hub service on multi-server setups or removing the PSEMHUB application outright on single-server setups, and blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter.

Mandiant warned that ShinyHunters was abusing the same Oracle flaw, and TechCrunch reported that Mandiant confirmed it has also notified more than "100 global organizations," most of them in the United States.

The Hacker News said Mandiant then triaged five sequential IP addresses running Python's SimpleHTTP server on port 8888, and those servers exposed staging files including a shared .bash_history and a lateral-movement script.

Crypto Briefing

Help Net Security quoted a threat researcher noting, "At the /pay_or_leak endpoint, is stolen data from 20+ organizations," and added that the same bash history log contained a purpose-built shell script "uon_fanout.sh".

The Hacker News said The University of Nottingham is one of the first confirmed victims, and it described Have I Been Pwned as having counted about 455,000 unique email addresses in the leaked set.

In a separate account, Security Boulevard said ShinyHunters claimed it stole data from 300 instances across more than 100 organizations, and it said the group’s extortion demands were signed by ShinyHunters.

Oracle’s out-of-band advisory said it was a critical issue affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, and SecurityWeek reported that Oracle released mitigations rather than a full patch.

“Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools is being exploited in the wild, Charles Carmakal, CTO at cybersecurity firm Mandiant, part of Google Cloud, warned today”

Help Net Security

SecurityWeek also said Oracle noted in its advisory, “We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure.”

Rescana warned that public proof-of-concept code and automated detection templates are widely available, increasing the risk to unpatched systems, and it said sophisticated ransomware and data extortion groups including Cl0p and ShinyHunters are leveraging the flaw to compromise enterprise environments.

The Hacker News said the immediate move is to lock those endpoints down and that WAF body-inspection rules alone are not enough, since they can be bypassed, while restricting these endpoints does not break normal user sessions.

TechCrunch described the stakes as stolen data being published on the ShinyHunters [Data Leak Website] after compromise, and it said Oracle had not released a patch for the vulnerability at the time of writing while recommending customers apply its mitigations.