Oracle PeopleSoft PeopleTools zero-day exploited by ShinyHunters (CVE-2026-35273)
Oracle issued an emergency out-of-band alert after the ShinyHunters crew exploited a critical unauthenticated remote-code-execution zero-day in PeopleSoft PeopleTools to steal data from more than 100 organisations, most of them universities.
- Victim
- Oracle PeopleSoft
On 10 June 2026, Oracle published an emergency, out-of-band security alert for CVE-2026-35273, a critical zero-day in the Environment Management component (PSEMHUB) of Oracle PeopleSoft Enterprise PeopleTools. The flaw had already been exploited in the wild for roughly two weeks by the data-extortion crew ShinyHunters, which Google's Mandiant tracks as UNC6240, to break into more than 100 organisations and steal their data.
What happened
CVE-2026-35273 carries a CVSS v3.1 base score of 9.8 and a vector (AV:N/AC:L/PR:N/UI:N) describing a flaw that an unauthenticated attacker can exploit remotely over the network with no user interaction, resulting in remote code execution. It affects PeopleSoft Enterprise PeopleTools 8.61 and 8.62. Because the bug lives in an internet-facing management component, a single unauthenticated request was enough to give attackers code execution on exposed servers.
Mandiant reported that exploitation ran from 27 May 2026 through 9 June 2026 โ before Oracle's advisory existed, making this a true zero-day. After gaining a foothold, the attackers mapped PeopleSoft configurations and internal network topology, moved laterally using a custom propagation script and SSH credential spraying, dropped extortion marker files (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT), and exfiltrated compressed data using zstd. Stolen datasets began appearing on the ShinyHunters leak site on 9 June.
Impact
- A critical (CVSS 9.8) unauthenticated remote-code-execution zero-day in PeopleTools 8.61 and 8.62.
- More than 100 organisations notified by Mandiant, the majority based in the United States.
- 68% of the affected organisations operated in higher education โ universities and colleges that run PeopleSoft for student, HR, and finance systems.
- Confirmed data theft and extortion-site publication rather than file-encrypting ransomware.
- Oracle released a fix and urged customers to patch immediately and review exposed PeopleSoft instances for compromise.
Why it matters
PeopleSoft is the back-office backbone for a large share of the world's universities and large enterprises, holding student records, payroll, and financial data โ exactly the bulk personal information that an extortion group can monetise. The campaign is another example of ShinyHunters pivoting to mass exploitation of a single enterprise-software zero-day, echoing earlier cohorts built around Salesforce and SharePoint data theft. The lesson is a familiar one: an internet-exposed management component running an unauthenticated code path is a standing invitation, and the window between first exploitation and vendor advisory โ here about two weeks โ is more than enough time to empty a database.
Timeline
Earliest observed exploitation of CVE-2026-35273 against internet-facing PeopleSoft deployments, per Mandiant.
ShinyHunters publishes data from victim organisations on its data-leak site; observed exploitation activity runs through this date.
Oracle publishes an out-of-band security alert and fix for CVE-2026-35273, confirming the flaw is remotely exploitable without authentication.
Sources
- cloud.google.comhttps://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- oracle.comhttps://www.oracle.com/security-alerts/alert-cve-2026-35273.html
- blogs.oracle.comhttps://blogs.oracle.com/security/security-alert-cve-2026-35273-released
- thehackernews.comhttps://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
- theregister.comhttps://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443
- github.comhttps://github.com/advisories/GHSA-25mw-359m-f6rj