ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities

The cybersecurity landscape has been jolted by a highly targeted extortion campaign orchestrated by the notorious hacking collective known as ShinyHunters. Exploiting a previously unknown vulnerability in Oracle PeopleSoft—now designated as CVE-2026-35273—the group successfully infiltrated the internal systems of several high-profile organizations, with a disproportionate focus on large universities. According to forensics from Google’s Mandiant, the exploitation window occurred between late May and early June, catching institutions off-guard before a formal patch was available. This incident underscores the persistent vulnerability of legacy enterprise resource planning (ERP) systems and the evolving tactics of financially motivated threat actors.

ShinyHunters, a group Mandiant tracks as UNC6240, has a long history of high-stakes data theft and extortion. Emerging in 2020, the collective gained infamy for compromising major entities like Microsoft and AT&T. Unlike state-sponsored actors who prioritize long-term espionage, ShinyHunters operates with a distinct commercial ruthlessness, prioritizing the exfiltration of sensitive databases to demand "protection" payments. Their return to the spotlight using a zero-day exploit in Oracle software signals a sophisticated pivot toward high-value software supply chains, where a single flaw can unlock the gates to thousands of downstream clients.

Technically, the exploit targeted PeopleSoft, an ERP suite used by thousands of organizations to manage everything from human resources and payroll to student records. While the specific mechanics of CVE-2026-35273 involve a failure in input validation or session management, the business impact is profound. By gaining initial access through this zero-day, UNC6240 was able to bypass traditional perimeter defenses that rely on signature-based detection. Once inside, the group moved laterally through the network, identifies sensitive data repositories, and exfiltrated vast quantities of personal and financial information before Oracle could issue its June 10 advisory.

The implications for the broader tech industry are sobering. The lag between the initial exploitation (May 27) and the public disclosure (June 10) gave the attackers a two-week "free pass" to harvest data. For the education sector, which often operates on tighter IT budgets and manages sprawling networks with thousands of temporary users, this breach is a catastrophic reminder of their status as "soft targets." Furthermore, this incident highlights a growing trend where extortionists eschew traditional ransomware—which encrypts files—in favor of "pure exfiltration," betting that the threat of public shame and regulatory fines is enough to compel payment.

Regulators and market analysts are likely to scrutinize Oracle’s disclosure timeline and the inherent risks of monolithic ERP architectures. In an era where "Zero Trust" is the prevailing security mantra, the fact that an unpatched flaw in a central management system can facilitate such widespread access suggests that many institutions are still over-reliant on "castle-and-moat" security strategies. The breach also raises questions about the liability of software vendors when zero-day vulnerabilities are weaponized before a patch cycle can be completed, potentially leading to more stringent federal reporting requirements for critical infrastructure providers.

Moving forward, the industry must watch for two primary developments. First, the frequency with which ShinyHunters or its affiliates target other legacy enterprise platforms will indicate if this was an isolated strike or a broad new campaign. Second, the response from the university sector will be telling; we may see an accelerated migration away from on-premise PeopleSoft installations toward cloud-native solutions that offer more rapid, automated patching capabilities. As UNC6240 continues to monitor for unpatched environments, the race between black-hat exploitation and white-hat remediation has never been more urgent.