ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw
ShinyHunters extorts universities exploiting unpatched Oracle PeopleSoft vulnerability.
Summary
The cybercrime group ShinyHunters is actively extorting over 100 organizations, primarily universities, by exploiting an unpatched zero-day vulnerability in Oracle PeopleSoft PeopleTools. The vulnerability, CVE-2026-35273, allows for remote code execution and server takeover. Attacks have been ongoing since late May, with Oracle only recently disclosing the flaw and recommending mitigation steps without releasing a patch.
Full text
Researchers are warning that cybercriminals exploited an Oracle PeopleSoft zero-day vulnerability and potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education. Mandiant and Google Threat Intelligence Group said it became aware of the attacks earlier this month as part of its ongoing monitoring of ShinyHunters operations. The notorious cybercrime group claims it hacked more than 100 organizations and started naming victims and publishing allegedly stolen data Tuesday. University of Nottingham, one of ShinyHunters’ alleged victims, on Wednesday confirmed a significant amount of student data was stolen during a cyberattack after the threat group leaked some of the school’s data. The attacks date back to at least May 27, according to Mandiant, and involve the exploitation of CVE-2026-35273, a defect in Oracle PeopleSoft PeopleTools that allows unauthenticated attackers to execute remote code and takeover affected servers. Oracle disclosed the vulnerability and recommended some steps for mitigation Wednesday, weeks after the attacks were already underway. The vendor hasn’t released a patch to address the defect and did not respond to a request for comment. Google said it alerted more than 100 organizations of potentially vulnerable endpoints in their environments, but it declined to confirm how many victims are compromised. “This campaign is still active. We have observed ShinyHunters sending extortions as recently as today,” Charles Carmakal, chief technology officer at Mandiant Consulting, told CyberScoop Thursday evening. He added that more victims, beyond Google’s visibility, may be impacted. Most of the potential victim pool is based in the United States and 68% are in the higher education sector, according to Google. “We have previously observed ShinyHunters target the education sector this year, however it’s possible this targeting is representative of the majority of exposed PeopleSoft instances belonging to the sector,” Carmakal said. Oracle PeopleSoft PeopleTools includes more than 40 tools for human resources and customer relationship management. The attacks come less than a year after the Clop ransomware group exploited a zero-day in Oracle E-Business Suite that affected dozens of victims. The data theft extortion campaign that followed those attacks, which began in August, didn’t get underway until October. Share Facebook LinkedIn Twitter Copy Link
Indicators of Compromise
- cve — CVE-2026-35273