A serious vulnerability in the Oracle PeopleSoft tool has been exploited by the well-known cyber extortion group ShinyHunters to compromise more than a hundred organizations before an official solution existed.
The campaign, detected by researchers from Google and Mandiant, primarily targeted universities and higher education centers, which represent about 70% of the victims identified so far.
The flaw, registered as CVE-2026-35273, affects the PeopleSoft environment management component and has received a severity score of 9.8 out of 10. Most concerning is that it does not require credentials or any action from users to be exploited. An attacker can remotely take control of a vulnerable server if it is exposed to the network.
According to the analysis published by the threat intelligence group from the Mountain View firm and Mandiant, the attacks took place between May 27 and June 9. Oracle issued its security advisory on June 10.
This means that during that entire period, cybercriminals were exploiting a vulnerability for which there was no patch or public warning, a situation known as a ‘zero-day attack.’
ShinyHunters exploited the PeopleSoft flaw to access affected systems, move through internal networks, and locate information of interest.
As part of the operation, the attackers left files with extortion messages on compromised servers to confirm access and warn the victims.
More than a hundred victims
So far, Mandiant has notified more than 100 organizations affected by the campaign. 68% belong to the university and educational sector, mainly in the U.S. Among the confirmed victims is the University of Nottingham, whose leaked data includes information from students and alumni.
The service Have I Been Pwned has already indexed around 455,000 email addresses from the breach, along with other personal data such as names, addresses, phone numbers, passports, and sensitive information related to disability or ethnic origin.
Given the severity of the situation, Oracle recommends temporarily disabling the affected components or completely restricting their access from the Internet.
Researchers warn that organizations using PeopleSoft and have not applied mitigation measures must act urgently, as the campaign demonstrates how quickly criminal groups like ShinyHunters can turn an unknown vulnerability into a massive data theft operation.
