What is the name of the threat actor that exploited a vulnerability in Oracle's PeopleSoft software suite?

The notorious threat actor is ShinyHunters.

What is the severity rating of the vulnerability exploited by ShinyHunters in Oracle's PeopleSoft software suite?

The vulnerability carries a severity rating of 9.8 out of 10.

What kind of data was stolen from the University of Nottingham as a result of this exploit?

Approximately 40 gigabytes of stolen data included student records, financial aid data, health records, and immigration details.

By MommaKedra · Published June 12, 2026

Oracle's PeopleSoft Vulnerability Exploited by ShinyHunters: 100 Organizations Affected

Q: Which vulnerability did ShinyHunters exploit in Oracle's PeopleSoft software suite?

ShinyHunters exploited CVE-2026-35273.

Q: Which versions of PeopleSoft Enterprise PeopleTools are affected by the vulnerability exploited by ShinyHunters?

The vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 (and possibly earlier, unsupported ones as well).

Notorious threat actor ShinyHunters exploits zero-day vulnerability CVE-2026-35273 in Oracle's PeopleSoft software, stealing data from hundreds of organizations, including the University of Nottingham.

Oracle's PeopleSoft Vulnerability Exploited by ShinyHunters: 100 Organizations Affected

A critical vulnerability in Oracle's PeopleSoft software suite has been exploited by the notorious threat actor ShinyHunters, allowing them to steal gigabytes of data from hundreds of organizations. The zero-day exploit, tracked as CVE-2026-35273, was used to target PeopleSoft instances belonging to 100 organizations, with 68% of victims concentrated in the higher education sector.

What Happened

According to Mandiant and Google's Threat Intelligence Group (GTIG), ShinyHunters exploited CVE-2026-35273 between May 27 and June 9. The vulnerability, which carries a severity rating of 9.8 out of 10, allows remote, unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools and fully take over the platform.

The attackers used the meshctrl.js CLI to execute targeted reconnaissance commands on compromised hosts, mapping Oracle PeopleSoft configurations by inspecting psappsrv.cfg, auditing active NFS mounts, and reading WebLogic config.xml files. Lateral movement was automated via a custom propagation script [victim_abbreviation]_fanout.sh deployed to /tmp, which performed SSH credential spraying against internal hosts parsed from /etc/hosts.

ShinyHunters' claims were corroborated by Google's threat intelligence report, which spotted malicious activity consistent with the exploitation of CVE-2026-35273 between May 27 and June 9. The University of Nottingham confirmed unauthorized activity on its systems, with reports indicating approximately 40 gigabytes of stolen data, including student records, financial aid data, health records, and immigration details.

Background and Context

ShinyHunters has been active since at least 2019 and has executed scores of hacks against some of the world's largest companies. The group uses various techniques to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other forms of social engineering.

PeopleSoft is a widely used enterprise software suite that large corporations and institutions use to manage their human resources, payroll and billing applications, supply chains, and student records. The vulnerability exploited by ShinyHunters, CVE-2026-35273, affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 (and possibly earlier, unsupported ones as well).

Oracle has released an out-of-band security alert for the flaw but has yet to fully patch it. The company credited researchers with TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability.

Why It Matters

The exploitation of CVE-2026-35273 by ShinyHunters highlights the importance of timely patching and mitigation in preventing zero-day attacks. As a widely used enterprise software suite, PeopleSoft is a prime target for threat actors seeking to exploit vulnerabilities in critical infrastructure.

For adult-industry platforms and operators, this incident serves as a reminder of the need for robust security measures, including regular vulnerability scanning, patching, and penetration testing. The exploitation of CVE-2026-35273 also underscores the importance of secure configuration and access controls to prevent lateral movement and data exfiltration.

What Comes Next

Mandiant and Google's GTIG have issued a critical warning advising PeopleSoft customers on the steps they should take immediately. The researchers are providing detailed indicators of compromise (IoCs) and remediation recommendations to affected organizations.

Oracle has not responded to inquiries regarding exploitation, but TrendAI (Trend Micro's enterprise business), whose researchers were credited by Oracle for reporting CVE-2026-35273, told SecurityWeek that it is currently seeing limited exploitation of the vulnerability, but its investigation is ongoing.

Key Facts

CVE-2026-35273: a critical unauthenticated remote code execution vulnerability impacting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.
ShinyHunters exploited the vulnerability between May 27 and June 9, targeting over 100 organizations with 68% in the higher education sector.
The University of Nottingham confirmed unauthorized activity on its systems, with reports indicating approximately 40 gigabytes of stolen data.
Oracle has released an out-of-band security alert for the flaw but has yet to fully patch it.
Mandiant and Google's GTIG have issued a critical warning advising PeopleSoft customers on the steps they should take immediately.

8,822 page views

Originally surfaced from this brief. Approximately 608 words.

Mentioned: University of Nottingham ShinyHunters Mandiant Oracle

▲ 24▼ 5

Discussion 9

CH
ChargebackJenchargeback & fraud analyst14h ago
This is a classic case of inadequate security measures leading to massive data breaches. I'd love to see the dispute ratios for these affected organizations, especially considering the sensitive nature of their customer data.
BR
BrandBexleymarketing & brand manager13h ago
In light of this vulnerability, it's essential that companies in the adult industry reassess their cybersecurity posture and prioritize investing in robust defense systems to safeguard against future threats.
SA
SatoshiSleazecrypto payments advocate12h ago
This is a prime example of why we need decentralized, secure payment solutions like cryptocurrencies – they can't be exploited with zero-day vulnerabilities! It's time for the industry to rethink its dependence on traditional payment processors.
LU
LurkerLowkeyskeptical lurker11h ago
Another day, another breach. What's the real risk here? Is this just another noise event or is there something more to it?
ST
StreamOpsKastreaming infra engineer11h ago
I'm concerned about the potential impact on streaming services that rely on PeopleSoft for billing and subscription management. Has anyone assessed the likelihood of a CDN or transcoding infrastructure compromise?
SU
SupportSeongcustomer support lead10h ago
This ShinyHunters breach is a harsh reminder of the importance of robust data security in our industry. We need to prioritize patching and updates to prevent similar incidents from happening to our customers.
AF
AffiliateAceaffiliate marketer10h ago
This breach could be an opportunity in disguise – if your affiliate program is affected, now's the time to re-evaluate your traffic acquisition strategies and optimize for conversions. Don't let security threats hinder your ROI growth!
ME
MetaverseMoVR/immersive builder10h ago
Wow, just... wow! Another zero-day exploit and it's Oracle this time? What does this say about the state of security in the tech world? I mean, what if this was a VR platform vulnerability? Mind. Blown.
CO
ComplianceCarolage-verification & compliance7h ago
This vulnerability highlights the need for regular security audits and risk assessments in high-risk industries like ours. I'll be reviewing our own systems to ensure we're protected.