ShinyHunters Exploits Oracle PeopleSoft Zero-Day CVE-2026-35273 — 100+ Organizations Breached

What Happened

ShinyHunters — the extortion crew Google's Mandiant tracks as UNC6240 — has been mass-exploiting a zero-day vulnerability in Oracle PeopleSoft, now designated CVE-2026-35273. Oracle has issued a warning to customers after the campaign compromised more than 100 organizations; Google directly notified those with potentially vulnerable servers exposed. Universities took the heaviest hits, but enterprise targets are broadly in scope. The playbook is simple: exploit the PeopleSoft flaw, exfiltrate sensitive data, then demand payment to keep it private.

Why It Matters

PeopleSoft is deeply embedded in higher education and large enterprises — it manages HR records, payroll, student data, and finance. That data profile makes it an ideal extortion target: high sensitivity, high regulatory exposure, high pressure to pay quietly. With 100+ organizations already confirmed breached and UNC6240 still active, the gap between "vulnerable" and "compromised" is closing fast.

This is not a proof-of-concept. Mandiant's attribution and Oracle's own advisory confirm an ongoing, active campaign. Any organization running an internet-accessible PeopleSoft instance should assume it has already been scanned — and potentially hit.

What to Do

1. Apply the patch immediately. Check Oracle's support portal for a fix or security advisory covering CVE-2026-35273. If your vendor support contact hasn't already flagged it, reach out directly now.

1. Take PeopleSoft off the open internet. If your PeopleSoft portal is publicly accessible without VPN or IP allowlisting, restrict it now. This is the single most effective mitigation while a patch is staged or tested.

1. Hunt for signs of compromise. Audit authentication logs for unusual logins, privilege escalations, or access from unexpected IPs. Look for anomalous database queries or bulk data exports consistent with exfiltration. ShinyHunters moves fast once inside.

1. Act on any Google or Mandiant notification. If your organization received one, treat your environment as breached and activate your incident response plan immediately — do not wait to confirm before containing.

1. Loop in legal now. If employee or student PII was accessible through PeopleSoft, you may face mandatory notification timelines under FERPA, GDPR, or state breach laws. The disclosure clock starts at discovery, not at confirmation.

ShinyHunters has a documented history of large-scale theft followed by public extortion when ransoms aren't paid. Every hour of delay is leverage you hand to them.