TL;DR
ShinyHunters exploited an unpatched Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to breach 100+ organisations. Two-thirds are universities. No patch yet.
Oracle warned customers on Thursday of a critical vulnerability in its PeopleSoft software that hackers have already exploited to breach more than 100 organisations. The flaw, CVE-2026-35273, carries a CVSS score of 9.8 and can be exploited over the internet without any authentication. Oracle has not released a patch.
The advisory came a day after the cybercrime group ShinyHunters claimed responsibility for the mass-hacking campaign. Google’s Mandiant confirmed that the bug Oracle disclosed is the same one ShinyHunters is exploiting. Mandiant said it notified more than 100 global organisations, most of them in the United States.
About two-thirds of the victims are universities and colleges. A ShinyHunters member told TechCrunch the group stole “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID.” The University of Nottingham was named among the breached institutions.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters Data Leak Website,” Mandiant wrote. Oracle did not respond to TechCrunch’s request for comment.
PeopleSoft is used by large companies and universities to manage payroll, human resources, and student records. The vulnerability affects PeopleTools versions 8.61 and 8.62. ShinyHunters exploited a chain of old and zero-day vulnerabilities to target both cloud and on-premises instances, compromising approximately 300 servers across the 100+ organisations.
The attack follows a pattern. ShinyHunters has spent the past year targeting organisations that share the same vulnerable enterprise software. Previous campaigns hit companies using Salesforce, Gainsight, and education platform Instructure. The group identifies the flaw, finds every company running the software, steals data, and demands a ransom.
Instructure paid the hackers earlier this year after being breached twice. ShinyHunters also defaced the login pages of schools using Instructure’s Canvas portal. The PeopleSoft campaign is the largest yet, and it is ongoing. Oracle recommended mitigations but has not said when a patch will be available.
For any organisation running PeopleSoft, the immediate action is to apply Oracle’s mitigations and restrict internet-facing access to PeopleSoft servers. The broader lesson is one the enterprise software industry keeps relearning: when a critical zero-day hits software used by hundreds of large organisations, the attacker only needs to find it once. AI is making vulnerability discovery cheaper. The defenders patching those flaws are not getting faster. And groups like ShinyHunters are industrialising the exploitation of every window between disclosure and fix.
