Oracle Warns of Zero-Day Bug That Hackers Used to Breach Over 100 Organizations
Oracle has warned its corporate customers about a critical-rated vulnerability in its PeopleSoft software after the cybercrime group ShinyHunters used the flaw to compromise more than 100 organizations worldwide. The company published a security advisory on Thursday, but has not yet released a patch.
The vulnerability, tracked as CVE-2026-35273, is an unauthenticated remote code execution bug in PeopleSoft PeopleTools versions 8.61 and 8.62. It carries a CVSS score of 9.8 out of 10, placing it in the critical severity tier. Oracle said the flaw can be exploited over the internet without requiring a password.
Mandiant, the Google-owned incident response firm, confirmed in its own analysis that the same vulnerability is being actively exploited by ShinyHunters. Mandiant said it has notified “more than 100 global organizations” about exposure, with roughly two-thirds operating in higher education. Most victims are based in the United States.
### Zero-Day Exploitation Before a Patch Existed
The hackers began exploiting the PeopleSoft flaw as early as May 27, nearly two weeks before Oracle published its advisory. Because Oracle had no opportunity to fix the bug before attackers found and weaponized it, the exploitation qualifies as a zero-day attack.
Security researchers Bobby Gould, Lucas Miller, and Minh Giang of TrendAI discovered the vulnerability and reported it through Trend Micro’s Zero Day Initiative. Public awareness of the active exploitation campaign grew after security researcher @nahamike01 posted about it on X.
ShinyHunters told TechCrunch that the gang gained access by abusing the unpatched flaw in PeopleSoft servers. The group claimed to have compromised roughly 300 PeopleSoft instances across more than 100 organizations.
### University of Nottingham Confirmed as First Victim
The University of Nottingham has emerged as the first publicly confirmed victim. The hackers stole approximately 40 gigabytes of data, including roughly 455,000 unique email addresses, student records with passport numbers, and disability information. The data was published on ShinyHunters’ data leak website on June 9.
In a message shared with the university, the hackers claimed to have stolen “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses.”
Mandiant said that while some organizations successfully blocked the intrusion or remediated the vulnerability, others experienced full compromise resulting in published data theft.
### Attack Pattern: Data Theft and Extortion
The attack follows a pattern ShinyHunters has refined over the past year. Rather than deploying ransomware, the group focuses on data theft followed by extortion. The hackers steal sensitive corporate or customer data and threaten to publish it unless victims pay a ransom.
According to technical analysis by Mandiant and Google’s Threat Intelligence Group, the attackers deployed MeshCentral agents disguised as Azure services on compromised systems, then moved laterally across networks using SSH credential spraying.
In the past year, ShinyHunters has run similar campaigns targeting organizations using Salesforce, Gainsight, and education software from Instructure, as TechCrunch has previously reported. In each case, the group identifies a widely used enterprise software platform, finds a vulnerability, and exploits it across multiple victims at once.
### Oracle’s Response: Mitigations, No Patch Yet
Oracle has not released a full patch for CVE-2026-35273 as of Friday. The company’s security advisory recommends that PeopleSoft customers immediately apply the mitigations it published to prevent exploitation. Oracle did not respond to requests for comment from TechCrunch.
CISA, the U.S. cybersecurity agency, has not yet added the vulnerability to its Known Exploited Vulnerabilities catalog, a step that would trigger a binding operational directive requiring federal agencies to apply fixes.
The incident adds to a growing list of supply-chain-style attacks where a single unpatched vulnerability in widely used enterprise software becomes a vector for mass breaches. As ShinyHunters continues victim outreach and Mandiant tracks additional compromised organizations, more disclosures are expected in the days ahead.
Sources: TechCrunch (June 11, 2026); Mandiant / Google Cloud (June 12, 2026); Oracle Security Alert (June 11, 2026); The Hacker News (June 11, 2026)