ShinyHunters Exploits Oracle PeopleSoft Zero-Day CVE-2026-35273 in Mass Hacking Campaign
Image: Zamin.uz

ShinyHunters Exploits Oracle PeopleSoft Zero-Day CVE-2026-35273 in Mass Hacking Campaign

10 June, 2026.Crime.25 sources

Key Takeaways

  • ShinyHunters exploited CVE-2026-35273 in Oracle PeopleSoft, breaching 100+ organizations, mostly universities.
  • Oracle issued an out-of-band advisory and patch for the unauthenticated RCE flaw.
  • ShinyHunters extorted victims, threatening data leaks after breaches across higher education.

Zero-day used on PeopleSoft

Mandiant CTO Charles Carmakal warned that the flaw is remotely exploitable without authentication and may result in remote code execution, affecting PeopleSoft PeopleTools versions 8.61 and 8.62.

Image from Ars Technica
Ars TechnicaArs Technica

Mandiant and the Google Threat Intelligence Group confirmed that ShinyHunters (UNC6240) targeted Oracle PeopleSoft application infrastructure between May 27, 2026 and June 9, 2026, and said the activity “is consistent” with exploitation of CVE-2026-35273.

Oracle’s advisory said the vulnerability is remotely exploitable without authentication and “may result in remote code execution,” while TechCrunch reported Oracle had not released a patch “at the time of writing.”

Higher education hit, data leaked

Mandiant said it notified more than “100 global organizations,” most of them in the United States, and TechCrunch reported that about two-thirds of those organizations are in higher education.

The campaign’s impact included stolen data being published on the ShinyHunters [Data Leak Website], and Mandiant wrote that “others experienced compromise, resulting in stolen data being published.”

Image from BleepingComputer
BleepingComputerBleepingComputer

The University of Nottingham confirmed it suffered a cybersecurity incident and that it notified affected students and alumni directly, while Cybersecurity Dive reported the university said a “significant amount of data” in its student records was compromised.

Cybersecurity Dive added that the flaw was added to CISA’s Known Exploited Vulnerabilities catalog and confirmed it has been used in ransomware attacks, and it said federal civilian agencies have until Monday to remediate the vulnerability.

Mitigations and ongoing extortion

Oracle urged customers to apply mitigations and take “immediate action” to reduce exposure, including disabling the Environment Management Hub service in Multi-Server configurations or removing the PSEM hub in Single-Server configurations.

If organizations could not disable the EMHub service, Oracle guidance described blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level, and Mandiant warned that WAF body-inspection rules alone are not enough.

Researchers tied to Mandiant and the Google Threat Intelligence Group said the attackers used customized MeshCentral agents disguised as Microsoft Azure services, and the campaign relied on remote code execution without authentication to take over exposed systems.

CyberScoop reported that Charles Carmakal said, “This campaign is still active,” and it described extortions being sent as recently as that Thursday evening, with the implication that more victims beyond Google’s visibility may be impacted.

More on Crime