ShinyHunters Exploits Oracle PeopleSoft Zero-Day Vulnerability

A critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft has been exploited by the ShinyHunters group, leading to breaches of over 100 organizations, primarily in the education sector. The vulnerability allows unauthenticated remote code execution, enabling attackers to compromise systems without prior authentication. The exploitation occurred between May 27 and June 9, 2026, before Oracle's advisory was published on June 10, 2026. Mandiant confirmed that approximately 500,000 student records from the University of Nottingham were among the stolen data. Attackers utilized a 'gadget chain' of vulnerabilities to facilitate the breaches, and the stolen data has been published on the ShinyHunters Data Leak Site. Oracle has issued an urgent advisory recommending immediate patching and mitigation measures, but as of now, no official patch is available. Organizations are advised to restrict internet-facing access to vulnerable systems.

Key Points: • CVE-2026-35273 allows unauthenticated remote code execution in Oracle PeopleSoft. • ShinyHunters has claimed over 100 breaches, including significant data theft from universities. • Oracle has issued an advisory but has not yet released a patch for the vulnerability.