Skip to content

Oracle PeopleSoft Zero-Day: ShinyHunters Hit 100+ Organizations

The Hacker News · Story 6 of 6

Mandiant and Google Threat Intelligence Group (GTIG) have confirmed a widespread compromise campaign attributed to the ShinyHunters threat actor group (tracked as UNC6240) exploiting a zero-day vulnerability in Oracle PeopleSoft. The vulnerability, CVE-2026-35273, is a critical 9.8 CVSS unauthenticated SSRF-to-RCE flaw in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.

ShinyHunters actively exploited the vulnerability between May 27 and June 9, 2026 — two weeks before Oracle published its security advisory on June 10. The campaign targeted primarily the higher education sector, with Mandiant identifying over 100 organizations compromised through this single vulnerability. The attack required only network access over HTTP — no credentials, no user interaction.

Check Point Research reports that ShinyHunters used the access for data theft and extortion operations, a pattern consistent with their previous campaigns. The group has historically combined zero-day exploitation with social engineering and voice phishing to maximize access.

Oracle has released an out-of-band security alert and affected organizations should patch immediately. However, the two-week window of active exploitation means compromised organizations need to do more than patch — they need full incident response investigations to identify persistent access, data exfiltration, and secondary payloads.

This incident highlights the enduring risk of legacy ERP systems in education and government sectors. PeopleSoft deployments, many running configurations years out of support, represent an attractive target for threat actors who can chain a single unauthenticated vulnerability into mass compromise.

Analysis
Live

100+ organizations breached through a single unauthenticated endpoint — this is the textbook case for why legacy ERP modernization can't wait. For MENA universities and government ministries running PeopleSoft, the message is stark: if you haven't patched and audited your PeopleTools deployment in the last two weeks, assume compromise.

Frequently Asked Questions
How was ShinyHunters able to exploit CVE-2026-35273 before the patch?

ShinyHunters discovered or acquired the zero-day vulnerability and exploited it for two weeks before Oracle became aware and issued a patch on June 10, 2026.