◆ NOISE IN → SIGNAL OUT◆ READALCHEMIST.COM◆ FREE / NO PAYWALL◆ NOISE IN → SIGNAL OUT◆ READALCHEMIST.COM◆ FREE / NO PAYWALL
THE DIGITAL ALCHEMIST
SAT 13 JUN 2026
READALCHEMIST.COM
SecurityIMPACT 88

ShinyHunters' PeopleSoft Zero-Day Is a Mass-Exploitation Event, Not a Targeted Attack

CVE-2026-35273 is confirmed real, CVSS 9.8, no patch yet. The attack chain hit 300 PeopleSoft instances across 100-plus organizations before Oracle published a single word. If you run PeopleSoft, your first move is not to wait.

2026-06-135 MIN READ#Oracle · #PeopleSoft · #ShinyHunters · #zero-day · #higher education · #CVE-2026-35273 · #RCE · #data breach · #ERP security
West end of Lake on University of Nottingham Campus - geograph.org.uk - 126009 by Dr Dan Marsh (BY-SA) via Openverse
West end of Lake on University of Nottingham Campus - geograph.org.uk - 126009 by Dr Dan Marsh (BY-SA) via Openverse

The Core Fact

Oracle has no patch. It has mitigations. That gap is the entire story.

CVE-2026-35273 is a critical PeopleSoft PeopleTools zero-day that allows unauthenticated remote code execution and carries a CVSS base score of 9.8. It requires no login and no user interaction — just network access over HTTP — to take over the server. Mandiant and Google Threat Intelligence Group confirmed that ShinyHunters, tracked as UNC6240, targeted Oracle PeopleSoft infrastructure between May 27 and June 9, 2026. Since that activity predates Oracle's June 10 advisory, the vulnerability was exploited as a zero-day throughout, and Mandiant notified over 100 global organizations with potentially vulnerable endpoints.

CVE-2026-35273 At a Glance
9.8CVSS Score300PeopleSoftInstancesCompromised100OrganizationsAffected455,000Unique Emails inLeaked Set(Nottingham)
Sources: Oracle advisory, Mandiant / Google Threat Intelligence Group, BleepingComputer, Have I Been Pwned
Mandiant-Notified Organizations by Sector
68%Higher EducationHigher Education — 68% (68%)Other Sectors — 32% (32%)
Source: Google Threat Intelligence Group / Mandiant, via Computer Weekly and The Hacker News

What Was Exploited and How

The vulnerability sits in the Updates Environment Management component, the piece behind the Environment Management Hub (PSEMHUB). This is the internal PeopleSoft management plane — many administrators have exposed it without realizing the attack surface it presents.

The exploitation technique uses a "gadget chain" linking CVE-2026-35273 with older known flaws, enabling attacks that neither component permits independently. This let ShinyHunters scale compromises across PeopleSoft deployments without authentication.

Rather than targeting individual organizations, ShinyHunters deployed automated attack scripts capable of scanning and compromising PeopleSoft environments at scale. Once inside, attackers sprayed hardcoded credentials against internal hosts pulled from /etc/hosts over SSH, then dropped ransom notes into PeopleSoft directories. Researchers found exposed directories containing attack tooling including MeshCentral agents and credential spray scripts, with some attacker IPs bearing TLS certificates tied to ShinyHunters.

Scope and Confirmed Victims

ShinyHunters compromised approximately 300 Oracle PeopleSoft installations across more than 100 organizations — universities, hospitals, and government agencies — by chaining the zero-day with older vulnerabilities.

Sixty-eight percent of notified organizations were in higher education, mostly in the United States. The pattern reflects PeopleSoft's dominance in U.S. student information and HR systems. The data—Social Security numbers, dates of birth, financial aid records, addresses—translates directly into criminal resale value.

A ShinyHunters spokesperson told The Register that the group exploited CVE-2026-35273 to breach the University of Nottingham's PeopleSoft system and steal 40 GB of personal data and billing records from hundreds of thousands of current and former students. A day after the data leak, the University of Nottingham confirmed the breach; Oracle issued its out-of-band alert the same day. Have I Been Pwned counted about 455,000 unique email addresses in the leaked set, including names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities.

Some organizations blocked the activity; others were compromised and had data posted to the leak site. The difference hinges on whether PSEMHUB endpoints were externally accessible.

The Patch Problem

Oracle released an out-of-band advisory addressing the vulnerability. The security alert links to a patch availability document accessible only to customers with support accounts. Multiple sources confirm mitigations exist but a full patch rollout remains unconfirmed as of publication. Mandiant CTO Charles Carmakal warned that PeopleSoft was one of two actively exploited zero-days, noting Oracle had released mitigations with patches expected soon.

The vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Possibly earlier, unsupported versions are also at risk. Running an unsupported version means Oracle won't help.

Higher education faces a structural lag. Semester calendars, change advisory boards, and lean IT staffing mean 60 to 90 days between patch release and majority deployment—a window that compounds risk.

Immediate Actions for Operators

  1. Lock PSEMHUB off the network perimeter now. If PeopleSoft's Environment Management Hub is reachable from outside your network, that's your exposure. Lock it down immediately. This compensating control requires no patch.

  2. Hunt for indicators of compromise. Public proof-of-concept code and automated detection templates are widely available, dramatically increasing risk to unpatched systems. Assume scanning has already touched your instance.

  3. Apply Oracle's mitigations. Log into Oracle Support, retrieve the patch availability document for CVE-2026-35273, and implement every listed mitigation before the patch arrives.

  4. Enable and review database and application layer logging. Evidence suggests attackers create ransom notes on breached servers and attempt to connect to other PeopleSoft systems using common administrative credentials. Lateral movement to connected systems is documented behavior.

One caveat: Multiple threat intelligence sources indicate that groups beyond ShinyHunters, including Cl0p, may be moving to exploit this flaw. If a second major ransomware group weaponizes it, victim counts will expand significantly within weeks. The gadget chain is now public; copycat exploitation has low barriers to entry.

What to Watch

  1. Oracle patch release date. Mitigations are not patches. Monitor Oracle's CVE-2026-35273 page for a full fix and whether it covers unsupported PeopleTools versions.

  2. Affected institution count at 30 days. Mandiant's 100-plus tally will rise as investigations conclude. Real compromise numbers may exceed current claims.

  3. ShinyHunters data release timeline. Watch their leak site for new university postings as extortion leverage in active negotiations.

  4. Downstream fraud signals. Student SSNs and financial aid data monetize in criminal markets within 30 to 60 days. Expect identity theft surge reports from affected institutions by late July.

  5. Copycat exploitation. Public PoC code invites secondary actors to probe exposed PSEMHUB endpoints. Any institution without external access restrictions should assume active targeting.

  6. Regulatory response. FERPA obligations apply to exposed student records. Watch for Department of Education guidance and state AG investigations targeting institutions that failed to implement available controls before compromise.

Sources
  1. Oracle Mitigates PeopleSoft Zero-Day Exploited in Data Theft Attacks
  2. Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks
  3. Oracle PeopleSoft Servers Under Attack, Oracle Pushes Out-of-Band Security Alert
  4. ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
  5. ShinyHunters Hacked 100+ Orgs by Exploiting an Oracle PeopleSoft 0-Day
  6. Oracle PeopleSoft CVE-2026-35273: ShinyHunters Breaches 100+ Orgs
  7. Oracle PeopleSoft Breached by The ShinyHunters Data Theft Attack
  8. Oracle Security Alert Advisory - CVE-2026-35273
  9. Oracle Fixes PeopleSoft Flaw Exploited by ShinyHunters
  10. University of Nottingham Data Breach Hits 454,000 Students
  11. Oracle mitigates PeopleSoft zero-day exploited in data theft attacks | OpenText Cybersecurity Community
  12. CVE-2026-35273: Critical PeopleSoft Vulnerability Hits Over 100 Groups - The420.in
  13. Oracle PeopleSoft PeopleTools Zero-Day (CVE-2026-35273) Actively Exploited: Urgent Patch Required to Prevent Ransomware and Data Breaches – Rescana
  14. Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations | TechCrunch
  15. ShinyHunters breached 100+ companies through an unpatched Oracle PeopleSoft zero-day
  16. ShinyHunters gang targets Oracle PeopleSoft servers in data theft attacks | brief | SC Media
  17. 2026 Canvas data breach
← back to the feed
NVDA 205.19 ▲ 0.16%AAPL 291.13 ▼ 1.52%MSFT 390.74 ▲ 0.10%GOOGL 359.68 ▲ 0.53%AMZN 238.55 ▼ 1.23%META 566.98 ▼ 0.26%TSLA 406.43 ▲ 1.82%AMD 511.57 ▲ 4.73%AVGO 382.07 ▼ 0.91%PLTR 127.99 ▼ 2.36%COIN 159.78 ▼ 0.41%MSTR 123.97 ▲ 3.18%NVDA 205.19 ▲ 0.16%AAPL 291.13 ▼ 1.52%MSFT 390.74 ▲ 0.10%GOOGL 359.68 ▲ 0.53%AMZN 238.55 ▼ 1.23%META 566.98 ▼ 0.26%TSLA 406.43 ▲ 1.82%AMD 511.57 ▲ 4.73%AVGO 382.07 ▼ 0.91%PLTR 127.99 ▼ 2.36%COIN 159.78 ▼ 0.41%MSTR 123.97 ▲ 3.18%