A hacking group exploited CVE-2026-35273, a critical zero-day in Oracle PeopleSoft PeopleTools, to compromise more than 100 organizations, all before Oracle’s emergency security advisory published on June 10.
The flaw is remotely exploitable without authentication and, if triggered, enables full remote code execution. Because the campaign ran before Oracle’s advisory, it qualifies as a true zero-day exploitation. Mandiant and Google’s Threat Intelligence Group (GTIG) confirmed the active compromise and extortion campaign in a June 11 blog post, reporting they’d notified more than 100 global organizations whose infrastructure appeared vulnerable. Most were in the United States. Sixty-eight percent were in higher education.
The stolen data the group published to its data leak site on June 9 includes billing and payment records, credit card and payment details, and student finance data. TechCrunch reported the group claimed to have breached more than 100 organizations using PeopleSoft servers.
Campus ERPs like PeopleSoft concentrate financial aid records, tuition billing credentials, and student payment data in a single application layer. When student finance records are exfiltrated, state breach notification laws kick in automatically, and credit card data in the same dump adds a PCI-DSS incident response obligation on top. Affected schools that weren’t among the 100-plus Mandiant notified may still be figuring out whether they’re on the list.
Oracle’s advisory instructs customers to apply all Critical Patch Updates “without delay.”
James Okafor