
ShinyHunters Exploits Oracle PeopleSoft Zero-Day CVE-2026-35273 in Mass Hacking Campaign
Key Takeaways
- ShinyHunters exploited CVE-2026-35273 in Oracle PeopleSoft, breaching 100+ organizations, mostly universities.
- Oracle issued an out-of-band advisory and patch for the unauthenticated RCE flaw.
- ShinyHunters extorted victims, threatening data leaks after breaches across higher education.
Zero-day used on PeopleSoft
Oracle PeopleSoft PeopleTools servers were targeted in the wild after a zero-day vulnerability, tracked as CVE-2026-35273, was exploited in a mass-hacking campaign linked to ShinyHunters.
“One of the world’s most active ransomware groups exploited a critical vulnerability in Oracle’s PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said”
Mandiant CTO Charles Carmakal warned that the flaw is remotely exploitable without authentication and may result in remote code execution, affecting PeopleSoft PeopleTools versions 8.61 and 8.62.

Mandiant and the Google Threat Intelligence Group confirmed that ShinyHunters (UNC6240) targeted Oracle PeopleSoft application infrastructure between May 27, 2026 and June 9, 2026, and said the activity “is consistent” with exploitation of CVE-2026-35273.
Oracle’s advisory said the vulnerability is remotely exploitable without authentication and “may result in remote code execution,” while TechCrunch reported Oracle had not released a patch “at the time of writing.”
Higher education hit, data leaked
Mandiant said it notified more than “100 global organizations,” most of them in the United States, and TechCrunch reported that about two-thirds of those organizations are in higher education.
The campaign’s impact included stolen data being published on the ShinyHunters [Data Leak Website], and Mandiant wrote that “others experienced compromise, resulting in stolen data being published.”

The University of Nottingham confirmed it suffered a cybersecurity incident and that it notified affected students and alumni directly, while Cybersecurity Dive reported the university said a “significant amount of data” in its student records was compromised.
Cybersecurity Dive added that the flaw was added to CISA’s Known Exploited Vulnerabilities catalog and confirmed it has been used in ransomware attacks, and it said federal civilian agencies have until Monday to remediate the vulnerability.
Mitigations and ongoing extortion
Oracle urged customers to apply mitigations and take “immediate action” to reduce exposure, including disabling the Environment Management Hub service in Multi-Server configurations or removing the PSEM hub in Single-Server configurations.
If organizations could not disable the EMHub service, Oracle guidance described blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level, and Mandiant warned that WAF body-inspection rules alone are not enough.
Researchers tied to Mandiant and the Google Threat Intelligence Group said the attackers used customized MeshCentral agents disguised as Microsoft Azure services, and the campaign relied on remote code execution without authentication to take over exposed systems.
CyberScoop reported that Charles Carmakal said, “This campaign is still active,” and it described extortions being sent as recently as that Thursday evening, with the implication that more victims beyond Google’s visibility may be impacted.
More on Crime

Devon Police Arrest 26-Year-Old Man Suspected Of Murdering Ann Widdecombe In Dartmoor
11 sources compared
South African Police Arrest Ndodana Mkhanyisi Tshuma Over Triple Murder In Bedfordshire
12 sources compared

Syrian Authorities Arrest Damascus Bombing Cell Linked To Islamic State During Macron Visit
11 sources compared

DHS Says ICE Officer Shot Lorenzo Salgado Araujo in Houston After Vehicle Ram, No Bodycam Footage
13 sources compared