Signal
ShinyHunters exploit Oracle PeopleSoft zero-day to breach over 100 organizations, mainly universities
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-06-11 20:29 UTCUpdated 2026-06-12 16:12 UTC
rss
cveexploitsbreachesmalwarethreat_actorsadvisories
Trend in the last 24h
Current brief openSource links open
This current signal is open on the public brief with summary, metadata, source links, and full evidence. Pro adds compare-over-time, alerts, exports, and workflow.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
A critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools has been actively exploited by the ShinyHunters threat group since late May 2026. The flaw allows unauthenticated remote code execution, enabling attackers to compromise systems and steal data.
Entities
OracleGoogleMandiantShinyHuntersPeopleSoft PeopleTools
Score total
1.89
Momentum 24h
9
Posts
9
Origins
8
Source types
1
Duplicate ratio
0%
Why now
- Active exploitation detected since late May 2026, with public disclosure and patch only in June.
- ShinyHunters publicly leaked stolen data, increasing pressure on victims and urgency for response.
- Oracle's out-of-band patch underscores the critical severity and immediate threat posed by this flaw.
Why it matters
- Zero-day vulnerability exploited before patch release risks widespread data breaches.
- Higher education institutions are heavily targeted, impacting sensitive student and staff data.
- Highlights the need for rapid vulnerability management and network segmentation for critical enterprise software.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- ShinyHunters exploited Oracle PeopleSoft zero-day CVE-2026-35273 to breach over 100 organizations, mainly universities.
- Oracle released an out-of-band patch for CVE-2026-35273 on June 10, 2026, after active exploitation was detected.
- The vulnerability allows unauthenticated remote code execution leading to full system compromise if PeopleSoft Environment Management Hub is internet-exposed.
How sources frame it
- Google Threat Intelligence Group: neutral
This incident highlights the critical risk posed by zero-day vulnerabilities in widely used enterprise software and the speed at which threat actors exploit them before patches are available.
All evidence
All evidence
CSO Online report on ShinyHunters extortion spree using Oracle zero-day
csoonline.com · csoonline.com · 2026-06-12 09:05 UTC
Rapid7 blog on active exploitation of Oracle PeopleSoft zero-day
rapid7.com · rapid7.com · 2026-06-12 13:43 UTC
ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw
CyberScoop · cyberscoop.com · 2026-06-12 16:12 UTC
Oracle fixes PeopleSoft flaw exploited by ShinyHunters
ComputerWeekly IT Security · computerweekly.com · 2026-06-12 12:22 UTC
NCSC-2026-0195 [1.00] [M/H] Kwetsbaarheid verholpen in Oracle PeopleSoft Enterprise PeopleTools
NCSC NL Security Advisories · advisories.ncsc.nl · 2026-06-12 07:25 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- csoonline.com (1)
- rapid7.com (1)
- CyberScoop (1)
- ComputerWeekly IT Security (1)
- NCSC NL Security Advisories (1)
Top origin domains (this list)
- csoonline.com (1)
- rapid7.com (1)
- cyberscoop.com (1)
- computerweekly.com (1)
- advisories.ncsc.nl (1)