ShinyHunters Exploited Oracle PeopleSoft Zero-Day for Weeks Before a Fix Existed

Google's Threat Intelligence Group and Mandiant have confirmed that ShinyHunters, the prolific data-extortion group tracked internally as UNC6240, exploited a critical Oracle PeopleSoft vulnerability as a zero-day for nearly two weeks before Oracle released any mitigation. The flaw, CVE-2026-35273, carries a CVSS score of 9.8 and allows unauthenticated remote code execution through the PeopleSoft Environment Management component.

Oracle published an emergency out-of-band advisory on June 10, but as of today no patches are available — only workarounds. The gap matters because exploitation began as far back as May 27, giving attackers nearly two weeks of uncontested access to vulnerable systems.

Who Got Hit

Google notified more than 100 organizations whose IP addresses matched potentially exposed PeopleSoft endpoints. Of those, 68 percent operate in the higher education sector, and most are US-based. The University of Nottingham in the UK is the first publicly confirmed victim; stolen data from the breach was published on ShinyHunters' data leak site on June 9. The group claims to have targeted roughly 300 PeopleSoft instances across 100 organizations in total, though Google's investigation is ongoing.

How the Attack Worked

According to the Mandiant and GTIG report, attackers set up staging servers hosting MeshCentral agents disguised as legitimate cloud infrastructure endpoints. Once inside, they ran administrative command queries and deployed a custom lateral movement script named after each victim — formatted as [victim_abbreviation]_fanout.sh — to spread through networks and exfiltrate data. The stolen data was then staged and published on ShinyHunters' extortion site.

Trend Micro's enterprise unit, whose researchers first reported CVE-2026-35273 to Oracle, told SecurityWeek that exploitation remains limited but its investigation is continuing.

What Administrators Should Do Now

PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as PeopleSoft Enterprise Applications, are affected. Oracle's advisory includes hardening recommendations and network-level mitigations — these should be applied immediately. Google has also published indicators of compromise from the ShinyHunters campaign that security teams can use for threat hunting. Organizations that have not yet audited their PeopleSoft exposure should treat this as urgent given the active exploitation and absence of a patch.