Google confirms ShinyHunters exploited Oracle PeopleSoft zero-day to steal data

Google’s Mandiant confirmed ShinyHunters exploited CVE-2026-35273, a critical PeopleSoft flaw rated 9.8, as a zero-day between May 27 and June 9.securityweek
The University of Nottingham confirmed a breach exposing roughly 454,600 email addresses plus passport numbers, financial data, and other personal records.theregister
Oracle ↗0.41% released mitigations but not a full patch, urging organizations to disable or block exposed PeopleSoft endpoints immediately.securityweek

ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Breaching Over 100 Organizations

The ShinyHunters hacking group exploited a critical zero-day vulnerability in Oracle PeopleSoft to breach more than 100 organizations between late May and early June, with universities bearing the brunt of a campaign that exposed hundreds of thousands of student records before Oracle issued an emergency advisory.

The Vulnerability and Campaign

Oracle released an out-of-band security alert on June 10 for CVE-2026-35273, a remote code execution flaw in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 carrying a CVSS score of 9.8. The vulnerability, which sits in the Updates Environment Management component, requires no authentication and no user interaction — only network access over HTTP — to achieve full system takeover.fieldeffect

Mandiant and Google’s Threat Intelligence Group confirmed that ShinyHunters, tracked internally as UNC6240, exploited the flaw between May 27 and June 9. Google notified more than 100 organizations whose systems matched vulnerable endpoints, with 68% in the higher education sector, most of them in the United States. ShinyHunters claims to have targeted roughly 300 PeopleSoft instances across cloud and on-premises environments.thehackernews

Mandiant CTO Charles Carmakal confirmed exploitation in the wild, while Trend Micro’s Zero Day Initiative — credited by Oracle for reporting the flaw — told SecurityWeek it is “currently seeing limited exploitation” with an ongoing investigation.securityweek

University of Nottingham Among Victims

The University of Nottingham confirmed it was among those compromised. “The University of Nottingham has been the victim of a cyber incident and a significant amount of data in our student record system has been accessed by a well-known cybercriminal group,” a spokesperson told The Register.theregister

ShinyHunters claimed to have stolen approximately 40 GB of data including billing records, credit card details, and student finance information. Breach notification service Have I Been Pwned added the leaked dataset to its database, reporting roughly 454,600 unique email addresses exposed alongside names, addresses, phone numbers, ethnicities, disabilities, and passport numbers.haveibeenpwned

Mitigations Without a Full Patch

Oracle has not released a full patch. Its guidance centers on disabling the Environment Management Hub service on multi-server setups or removing the PSEMHUB application on single-server deployments. Organizations unable to do so should block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector endpoints at the perimeter. Mandiant warned that web application firewall rules alone are insufficient, as they can be bypassed.thehackernews

Security researchers advise immediate log review for external POST requests to the affected endpoints, unexpected .jsp files in web application directories, and outbound SMB traffic on port 445 from PeopleSoft hosts.pathlock