Cybercriminals have actively exploited a critical zero-day vulnerability in Oracle PeopleSoft software, potentially compromising the networks of over 100 organizations, with a significant focus on higher education institutions. The attacks are attributed to the ShinyHunters group, which has begun naming alleged victims and publishing stolen data.
Mandiant and Google Threat Intelligence Group identified the exploitation of the Oracle PeopleSoft flaw, tracked as CVE-2026-35273, which allows remote code execution. The university sector appears to be disproportionately affected, raising concerns about the security of sensitive student and operational data held within these systems.
ShinyHunters Exploits Oracle PeopleSoft Vulnerability
The ongoing campaign, detected by Mandiant as early as May 27, targets a flaw in Oracle PeopleTools, a component used in PeopleSoft for human resources and customer relationship management. This defect, CVE-2026-35273, enables unauthenticated attackers to remotely execute code on vulnerable servers, granting them significant access.
Google alerted more than 100 organizations about potentially exposed endpoints, though the exact number of confirmed breaches remains unconfirmed. The threat actor, ShinyHunters, is actively engaged in extortion efforts against victims, according to Mandiant.
Implications for Higher Education
The attacks present a significant risk to higher education institutions, which often manage vast amounts of sensitive personal and financial data. The University of Nottingham confirmed a substantial data theft incident after leaked data attributed to ShinyHunters emerged online.
Charles Carmakal, chief technology officer at Mandiant Consulting, noted that while ShinyHunters has previously targeted the education sector, this specific campaign’s scale suggests a broad exposure of PeopleSoft instances within universities. The majority of identified potential victims are located in the United States, with 68% belonging to the higher education sector.
Vendor Response and Security Measures
Oracle disclosed the vulnerability and provided mitigation recommendations on Wednesday, weeks after the exploitation of the zero-day vulnerability had begun. A patch to fully address the defect has not yet been released by Oracle, and the company did not provide immediate comment on the situation.
The exploitation of this Oracle PeopleSoft vulnerability follows a similar incident last year. The Clop ransomware group exploited a zero-day flaw in Oracle E-Business Suite, leading to a data theft and extortion campaign that commenced months after the initial compromise.
Future Outlook and Uncertainties
The active nature of the campaign means that additional victims may be affected beyond those currently identified. Organizations utilizing Oracle PeopleSoft are advised to consult Oracle’s guidance for immediate mitigation steps. The full extent of data compromised and the specific impact on each affected institution remain subjects of ongoing investigation.