ShinyHunters Breaches 100+ Orgs via Oracle PeopleSoft RCE

Oracle released an out-of-band security alert this week for CVE-2026-35273, a critical remote code execution flaw in PeopleSoft Enterprise PeopleTools. The urgency became clear when ShinyHunters—one of the most prolific data extortion crews operating today—claimed responsibility for breaching over 100 organizations using the vulnerability.

The CVSS 9.8 flaw allows unauthenticated attackers to execute arbitrary code remotely via HTTP, with no user interaction required. Oracle considers patching "a high-priority risk reduction measure."

ShinyHunters' Campaign

ShinyHunters confirmed to BleepingComputer that they compromised 300 PeopleSoft instances across more than 100 organizations. The group described using a "gadget chain" combining older vulnerabilities with the zero-day to maximize their access.

Their attack script automates post-exploitation by parsing /etc/hosts to identify PeopleSoft-related systems, then attempts SSH connections using common administrative accounts like 'psoft', 'oracle', and 'linuxadm'. When password authentication fails, the script falls back to key-based authentication before deploying ransom notes.

Nottingham University is among the confirmed victims, with their data already published on ShinyHunters' leak site. The university acknowledged suffering a "cybersecurity incident."

The threat actor's stated original target? An FBI portal running PeopleSoft, where they intended to "publish a statement and set the record straight on some misinformation that has been spreading." That attack failed—but the tools they built for it worked elsewhere.

Technical Details

CVE-2026-35273 resides in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. Affected versions are 8.61 and 8.62.

The attack vector is straightforward:

• Network-accessible over HTTP
• No authentication required
• No user interaction needed
• Low attack complexity

These characteristics make the flaw trivially exploitable at scale. ShinyHunters appears to have done exactly that.

Who's at Risk

PeopleSoft deployments span human resources, payroll, finance, supply chain management, procurement, and student administration. The education sector appears particularly hard-hit—PeopleSoft is ubiquitous in universities for student information systems.

Organizations should assume that any unpatched, internet-exposed PeopleSoft instance has been targeted. ShinyHunters' automation means they likely scanned widely before Oracle's patch dropped. The group's tactics mirror other recent social engineering and data extortion campaigns we've tracked.

What to Do Now

1. Apply Oracle's emergency patch immediately. The Oracle Security Alert provides detailed guidance.

2. Check for indicators of compromise. Look for SSH access from unusual sources, ransom notes in PeopleSoft directories, and unexpected administrative account usage.

3. Review PeopleSoft network exposure. These systems should not be directly internet-accessible where possible.

4. Assume breach if exposed. If your PeopleSoft instance was internet-facing before patching, treat it as compromised and initiate incident response.

Why This Matters

ShinyHunters has been responsible for some of the highest-profile breaches in recent years, including attacks on Instructure's Canvas LMS affecting 30 million students and the World Food Programme breach exposing data from Gaza.

The group operates with speed and scale. When they identify a vulnerability that works, they weaponize it across hundreds of targets simultaneously. The combination of a CVSS 9.8 flaw with no authentication requirement and ShinyHunters' automated tooling made this outcome predictable.

For organizations running legacy enterprise software like PeopleSoft, this incident underscores the importance of minimizing attack surface. Internet-facing deployments of HR and financial systems carrying sensitive employee and student data should be behind VPNs or zero-trust architectures—not exposed to anyone with an HTTP client and a scanner.