ShinyHunters exploited CVE-2026-35273, an unpatched critical flaw in Oracle PeopleSoft PeopleTools, and claims to have breached more than 100 organizations worldwide beginning May 27. The defect scores 9.8 on the CVSS scale, requires no authentication, and gives an attacker full remote code execution.
Mandiant and Google Threat Intelligence flagged the campaign earlier this month through ongoing monitoring of ShinyHunters operations. Sixty-eight percent of the compromised organizations are in higher education, and most are US-based. On Tuesday, the group started naming victims and publishing stolen data publicly.
University of Nottingham confirmed a breach Wednesday after ShinyHunters leaked student data. The exposed records cover 454,600 current and former students across the university’s England, Malaysia, and China campuses: names, addresses, passport numbers, phone numbers, ethnicity, disability status, and payment details.
This is Oracle’s second critical-rated zero-day exploited in a mass data-theft campaign in under 12 months. Clop ransomware hit Oracle E-Business Suite on a zero-day last August, but that extortion campaign didn’t begin until October, giving victims two months of notice between breach and demand. ShinyHunters skipped the wait. Mandiant CTO Charles Carmakal confirmed the group was actively sending extortion demands as recently as Thursday, with more victims beyond Google’s visibility possibly at risk.
Oracle disclosed CVE-2026-35273 June 10, two weeks after attacks began, and hasn’t released a patch. Until it does, the only available mitigation is disabling the Environment Management Hub or blocking external access to the PSEMHUB endpoint entirely.
— James Okafor