Critical PeopleSoft zero-day lets attackers steal gigabytes of data from hundreds of organizations
A critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft is being actively exploited by the ShinyHunters cybercriminal group, with more than 100 organizations compromised and roughly 300 PeopleSoft instances affected across multiple sectors.
CVE-2026-35273 carries a CVSS score of 9.8 out of 10 — critical severity. It affects the Environment Management Hub (PSEMHUB) component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. An attacker with network access over HTTP or HTTPS can send a crafted POST request to the exposed endpoint and take over the server completely. No authentication or user interaction is required (Ars Technica; NIST NVD).
Scale and sectors
The campaign, active between May 27 and June 9, 2026, has hit a diverse set of targets, but one sector stands out. Higher education accounts for 68% of confirmed victims — universities and colleges running PeopleSoft for student information systems, HR, and financial management. Hospitals, government agencies, and enterprises make up the remainder.
The University of Nottingham in the UK is the most publicly visible victim. ShinyHunters exfiltrated over 40 GB of data from the institution, affecting approximately 454,600 to 500,000 student and staff records. The stolen data includes personal information, billing records, credit card details, and campus portal exports spanning the university’s UK, Malaysia, and China campuses (The Hacker News; The Register).
Attribution
Mandiant’s Google Cloud threat intelligence group (tracking the group as UNC6240) confirmed the attacks are consistent with exploitation of CVE-2026-35273 and attributed the campaign to ShinyHunters, a financially motivated group active since at least 2019. Charles Carmakal, CTO of Mandiant, publicly warned about the active exploitation targeting PSEMHUB endpoints (HelpNetSecurity).
ShinyHunters has been posting victims on its dark web data leak site. The group’s method involves using a “gadget chain” that combines the zero-day with older known vulnerabilities, then moving laterally through compromised networks, establishing persistence, and attempting SSH connections to adjacent systems.
Oracle and CISA responses
Oracle issued an emergency out-of-band security alert on June 10, a rare move outside its quarterly Critical Patch Update cycle. However, multiple cybersecurity outlets reported that the advisory stopped short of delivering a full patch for all affected configurations, instead providing mitigations and recommending organizations restrict network access to the PSEMHUB endpoint or block it entirely from the internet (Oracle; BleepingComputer).
CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog on June 12, giving federal agencies until June 15 to patch under Binding Operational Directive 26-04 (CISA).
What makes this different
PeopleSoft is deeply embedded in enterprise and institutional infrastructure worldwide, particularly in higher education, where it often stores decades of student data with complex access controls that are difficult to retrofit. A critical unauthenticated RCE in the hub component that manages PeopleSoft environments means attackers can pivot from a single HTTP request to full database exfiltration.
The 68% concentration in higher education is also notable. Universities have historically struggled with cybersecurity staffing and legacy system remediation, making them disproportionately vulnerable to vulnerabilities in the enterprise software they rely on for core operations.
ShinyHunters has not stopped posting victims. Security teams running exposed PeopleSoft instances should assume compromise until they have confirmed patching.
Sources: Ars Technica (June 12, 2026); NIST NVD (June 12, 2026); Oracle Security Alert (June 10, 2026); CISA KEV Catalog (June 12, 2026); The Hacker News (June 12, 2026); BleepingComputer (June 11, 2026)