ShinyHunters has compromised approximately 300 Oracle PeopleSoft installations spanning more than 100 organizations — including universities, hospitals, and government agencies — by chaining a newly discovered zero-day with older known vulnerabilities, while Oracle’s emergency advisory stopped short of delivering a full patch for an actively exploited flaw.
CVE-2026-35273: Unauthenticated RCE in PeopleSoft Enterprise PeopleTools 8.61 and 8.62
Oracle’s out-of-band advisory identified CVE-2026-35273 as a critical-severity unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The vulnerability allows attackers to execute code and access data within PeopleSoft environments without supplying any credentials — meaning every PeopleSoft instance running an affected version was potentially exposed from the moment ShinyHunters began weaponizing the flaw. PeopleSoft functions as an enterprise resource planning backbone across universities, hospitals, and government agencies worldwide, consolidating HR records, payroll data, financial information, and student administration records into a single integrated system that administrators and employees depend on for daily operations.
How ShinyHunters’ Gadget Chain Drove Unauthorized Access Across 300 PeopleSoft Instances
The technical mechanism behind the campaign is a “gadget chain” — a technique that links multiple vulnerabilities, combining the newly discovered CVE-2026-35273 zero-day with older known flaws, to produce exploitation that neither component enables independently. This approach allowed ShinyHunters to achieve unauthenticated access at scale across PeopleSoft deployments. Active attacks were confirmed as far back as June 9, before Oracle had issued any public advisory or notification. Mandiant’s CTO went public with a warning specifically confirming zero-day exploitation involvement — an unusual step that underscored the severity and novelty of the attack chain being deployed across the campaign.
Researcher Michael R’s Discovery of ShinyHunters’ Exposed Tooling and Staging Materials
Independent security research played a significant role in surfacing the campaign’s full scope. Cybersecurity researcher Michael R identified exposed online directories on attacker-controlled infrastructure hosting ShinyHunters’ attack tools, staging materials, and credential spray scripts. That operational security failure on the attackers’ side allowed the security research community to analyze the group’s methods and build a clearer picture of the campaign’s mechanics before Oracle’s formal advisory had confirmed the underlying vulnerability.
Oracle Issues Emergency Advisory With Mitigations Rather Than a Full Software Patch
Oracle responded by publishing an out-of-band advisory — a disclosure outside its standard quarterly Critical Patch Update cycle — but the remediation offered consisted of mitigations rather than a corrected software release. That distinction carries operational consequences: mitigations require administrators to apply configuration changes or compensating controls, which introduces complexity and margin for misconfiguration that a direct software patch eliminates. Oracle’s formal documentation declined to confirm active in-the-wild exploitation, even as Mandiant’s CTO and independent researchers were publicly characterizing the campaign as involving an active zero-day exploitation chain.
The University of Nottingham was confirmed as one of the campaign’s victims after ShinyHunters published stolen data attributed to the institution on their dark web leak site.
Education Sector as Primary Victim Pool and ShinyHunters’ Dual Extortion Demands
The education sector absorbed the heaviest concentration of victims in the campaign. PeopleSoft is a dominant ERP platform in higher education, used by universities globally to manage payroll, financial aid, student enrollment, academic records, and administrative operations for tens of thousands of students and staff simultaneously. A single successful intrusion into a university’s PeopleSoft environment translates into a large-volume data theft event covering the entire institution’s most sensitive personnel and student data.
Every organization confirmed as affected in the campaign received an extortion demand from ShinyHunters. The group operates a data extortion model in which stolen data is held as leverage: organizations are issued a ransom demand, and files are published to the dark web leak site if payment is refused. Affected organizations simultaneously face breach notification obligations under data protection regulations in their respective jurisdictions and active extortion from a threat group with a documented history of following through on publication.
With more than 100 organizations compromised and no complete software patch yet available, PeopleSoft administrators running versions 8.61 and 8.62 remain limited to Oracle’s published mitigations while a corrective release is developed.
