Thought Leadership
The cybercriminal group ShinyHunters has exploited a critical zero-day vulnerability in Oracle PeopleSoft, compromising more than 100 organizations worldwide.
According to claims made by the attackers and corroborating analyses from security researchers, over 300 vulnerable system instances were breached. The vulnerability, tracked as CVE-2026-35273, affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as potentially older unsupported releases. Oracle PeopleSoft is widely used by enterprises and institutions to manage human resources, payroll, supply chains, and student information systems.
The flaw carries a CVSS severity score of 9.8 and allows unauthenticated remote attackers to execute malicious code over HTTP, ultimately gaining full control of affected servers. According to a report from Google’s threat intelligence team, the attacks occurred between May 27 and June 9, 2026, before Oracle publicly disclosed the vulnerability. Google notified affected organizations after detecting the malicious activity. Approximately 68 percent of the targeted institutions were in the higher education sector, with the majority located in the United States.
University of Nottingham Data Leak Linked to ShinyHunters
One of the first publicly confirmed victims was the University of Nottingham in the United Kingdom. After the institution refused to meet the group’s ransom demands, ShinyHunters published the stolen data on its leak site.
The exposed dataset reportedly contains around 40 GB of personal and financial information. An analysis by the breach notification service Have I Been Pwned found that the leak includes approximately 455,000 unique email addresses belonging to current students and alumni. The data also contains full names, phone numbers, postal addresses, passport numbers, and sensitive information related to nationality and disabilities.
A spokesperson for the threat group commented on the status of the campaign:
“The University of Nottingham on our leak site is one of the first publicly confirmed incidents. We have only just begun contacting affected organizations and are actively seeking agreements with the impacted organizations.”
Cybercriminal group ShinyHunters
Oracle Issues Emergency Guidance
The University of Nottingham confirmed unauthorized access to its student records system and is working with national law enforcement agencies and data protection authorities.
In response to the ongoing attacks, Oracle issued an out-of-band security advisory on June 10, 2026. Charles Carmakal, CTO of Google’s Mandiant security division, confirmed that the PeopleSoft flaw is one of two vulnerabilities currently facing widespread exploitation. He stated that Oracle has released temporary mitigation measures and that comprehensive security updates are expected soon.
Oracle is urging administrators to immediately disable the Environment Management Hub service or block external access to affected interfaces through firewall rules until permanent patches become available.
(ll)
