ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Breaching Over 100 Organizations
The ShinyHunters group exploited CVE 2026 35273, a 9.8 severity unauthenticated remote code execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62, to compromise more than 300 instances across over 100 organiza... Attackers stole PII, academic records, HR data, and credentials, hitting the education sector ha...
What was the ShinyHunters zero-day campaign against Oracle PeopleSoft that breached over 100 organizations, what was the vulnerability (CVE-The ShinyHunters zero-day campaign exploited CVE-2026-35273 to breach over 300 Oracle PeopleSoft instances worldwide.
AI Prompt
Create a landscape editorial hero image for this Studio Global article: What was the ShinyHunters zero-day campaign against Oracle PeopleSoft that breached over 100 organizations, what was the vulnerability (CVE-. Article summary: Here is a comprehensive breakdown of the ShinyHunters campaign against Oracle PeopleSoft, based on current reporting.. Topic tags: general, general web, user generated. Reference image context from search candidates: Reference image 1: visual subject "Android Headlines / Tech News / Hackers Exploited a Critical Oracle Zero-Day to Breach Over 100 Companies. # Hackers Exploited a Critical Oracle Zero-Day to Breach Over 100 Compani" source context "Oracle Zero-Day Exploited to Breach 100+ Companies" Reference image 2: visual subject "# Oracle PeopleSoft Zero Day Exploited by ShinyHunters. Oracle shipped emergency mitigations on June 11 for CVE-2026-35273 after Shi
openai.com
In early June 2026, the ShinyHunters cybercrime group mounted one of the year's most impactful zero-day campaigns, exploiting a critical flaw in Oracle PeopleSoft to breach more than 100 organizations worldwide. The attack, which hit universities and enterprises before any official fix was available, underscores the persistent risk facing large-scale ERP deployments and the speed at which extortion-focused threat actors can weaponize undisclosed vulnerabilities.
The vulnerability at the center of the campaign, CVE-2026-35273, carries a CVSS v3.1 base score of 9.8 and allows unauthenticated remote code execution with no user interaction . This article breaks down the technical details of the flaw, the timeline of the attack, the data stolen, the responses from Oracle and CISA, and the practical steps defenders should take now.
The Vulnerability: What Is CVE-2026-35273?
CVE-2026-35273 resides in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools, affecting versions 8.61 and 8.62 . The flaw is a server-side request forgery (CWE-918) that can be triggered over HTTP without authentication . Successful exploitation can lead to a full takeover of the PeopleSoft server, granting attackers complete control over the system's confidentiality, integrity, and availability .
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
What is the short answer to "ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Breaching Over 100 Organizations"?
The ShinyHunters group exploited CVE 2026 35273, a 9.8 severity unauthenticated remote code execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62, to compromise more than 300 instances across over 100 organiza...
What are the key points to validate first?
The ShinyHunters group exploited CVE 2026 35273, a 9.8 severity unauthenticated remote code execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62, to compromise more than 300 instances across over 100 organiza... Attackers stole PII, academic records, HR data, and credentials, hitting the education sector hardest and then demanding extortion payments to keep the data private.
What should I do next in practice?
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on June 12, mandating urgent patching for federal agencies, while organizations worldwide scramble to apply Oracle's fix and hunt for signs o...
Oracle credited researchers from the TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability . The critical combination of network-based attack vector, low complexity, lack of authentication, and no user interaction made the vulnerability a prime target for mass exploitation the moment it became known to attackers.
How the Attack Unfolded: A Pre-Patch Timeline
The campaign was attributed by Google's Mandiant to the group it tracks as UNC6240, publicly known as ShinyHunters. Mandiant dated the active exploitation window from May 27, 2026, through June 9, 2026.
Because Oracle did not publish its security advisory or release a patch until June 10, 2026, the vulnerability remained a zero-day throughout the entire period of active exploitation . During that window, the attackers scanned the internet for exposed PeopleSoft instances and used CVE-2026-35273 to gain an initial foothold on unpatched servers.
Once inside, the group moved laterally through the compromised environments. Security researchers at Field Effect noted that the attackers combined CVE-2026-35273 with credential-based techniques and possibly additional vulnerabilities to maximize the scale of compromise and locate valuable data stores . This multi-stage approach allowed ShinyHunters to extract far more data than a simple smash-and-grab exploit would yield.
After exfiltrating data, the group followed its established playbook: they demanded payment from victims, threatening to publish the stolen information if demands were not met . This extortion-first tactic, rather than ransomware deployment, is a hallmark of ShinyHunters operations.
What Data Was Stolen
The stolen data varied by victim organization, but several high-value categories recurred across the breached instances:
Personally identifiable information (PII) of students, faculty, and staff .
Academic records, enrollment data, and financial aid information, reflecting the heavy concentration of victims in the education sector .
HR and payroll data from enterprise PeopleSoft deployments, including benefits and salary information .
Internal system configuration files and credentials that the attackers used to move laterally within compromised environments .
The breadth of stolen data reflects PeopleSoft's role as a centralized ERP system that aggregates sensitive records across HR, finance, and campus operations . A single compromise can expose years of personal and institutional data.
Oracle's Out-of-Band Response
On June 10, 2026, Oracle broke from its regular quarterly patch cycle and published an out-of-band security alert for CVE-2026-35273 . The company released patches for PeopleTools 8.61 and 8.62 on the same day, an unusually urgent move that highlighted the active and widespread exploitation .
Oracle's advisory was blunt: "This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution" . The company urged all customers to apply the patch as a "high-priority risk reduction measure" .
CISA Raises the Alarm
Two days after Oracle's advisory, on June 12, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) catalog. This addition triggered mandatory patching deadlines for U.S. federal agencies and served as a strong signal to all organizations, public and private, that the flaw was under active, widespread attack.
The Canadian Centre for Cyber Security also issued advisory AV26-587 on June 11, warning of active exploitation and directing administrators to Oracle's guidance immediately . The coordinated government response reflected the severity and scale of the incident.
Urgent Mitigation Steps
Based on guidance from Oracle, CISA, Rapid7, and other security vendors, organizations running PeopleSoft should take these actions without delay:
Apply Oracle's out-of-band patch to PeopleTools 8.61 and 8.62 immediately .
Check for unsupported versions. If running a version outside the patched scope, plan an emergency upgrade to a supported release before patching.
Conduct a forensic review of PeopleSoft application and database servers for signs of web shells, unauthorized scripts, or credential dumping tools .
Rotate all credentials stored in or accessible from PeopleSoft environments, including service accounts and database connection strings .
Restrict network access to PeopleSoft HTTP/HTTPS interfaces (ports 80 and 443) from the internet where possible, or place them behind a VPN .
Monitor for anomalous outbound data transfers originating from PeopleSoft servers—large transfers to unfamiliar external IP addresses are a strong indicator of exfiltration .
Indicators of Compromise (IoCs)
Published IoCs are still evolving as investigations continue. However, several categories of indicators have emerged from early reporting:
Unauthorized HTTP requests targeting the Updates Environment Management endpoint within PeopleTools .
Web shells or unexpected script files appearing on PeopleSoft application servers .
Unusual authentication events from unfamiliar IP addresses or service accounts that rarely log in .
Large outbound data transfers from PeopleSoft database servers to external destinations .
Newly created service accounts or scheduled tasks on compromised servers .
Specific attacker-controlled IP addresses have also been published—for example, Pathlock reported connections from 142.11.200.186–190, 108.174.202.99, and 176.120.22.24—as well as a ransom file named README-IF-... that organizations should search for in their PeopleSoft logs .
ShinyHunters and the Education Sector: A Recurring Pattern
The Oracle PeopleSoft campaign is not an outlier for ShinyHunters. The group has a well-documented preference for educational targets, driven by several strategic factors:
Rich, aggregated data sets. Universities and colleges run massive PeopleSoft deployments that consolidate decades of personal, academic, and financial records across hundreds of thousands of individuals .
Slow patching cycles. Higher education institutions frequently run heavily customized PeopleSoft environments with inconsistent and delayed update cadences, making them easy targets for any vulnerability that becomes weaponized .
Extortion, not ransomware. ShinyHunters focuses on data theft and extortion rather than ransomware deployment, a model that yields high returns when the stolen data is sensitive enough to command a payout .
Mass opportunistic scanning. The group scans broadly across entire sectors rather than singling out individual high-value targets, a technique that maximizes their footprint whenever a critical vulnerability like CVE-2026-35273 surfaces .
The June 2026 campaign follows earlier ShinyHunters attacks on universities and education-technology platforms, where the group stole millions of records and sold them on dark-web forums. The combination of a zero-day RCE flaw in PeopleTools and a victim sector with persistent security gaps proved devastatingly effective.
For organizations still assessing their exposure, the immediate priority is patching. Beyond that, the incident serves as a reminder that large-scale ERP platforms require the same layered defenses, monitoring, and rapid-response capability as any internet-facing critical service.
Oracle PeopleSoft Breached by The ShinyHunters Data Theft Attack
Comments
0 comments