The ShinyHunters cybercrime group weaponized CVE-2026-35273 to breach PeopleSoft servers across mostly U.S. organizations, with roughly two-thirds targeting universities according to Google-owned incident response firm Mandiant. Your institution’s HR systems and student records—grades, demographics, contact details, even GPAs—became prime extortion material while Oracle scrambled to issue emergency guidance. The vulnerability affects PeopleSoft PeopleTools versions 8.61 and 8.62, requiring no authentication for remote exploitation.
Critical Flaw Requires Zero Authentication
Attackers need nothing more than internet access to compromise vulnerable PeopleSoft servers.
The vulnerability earned Oracle’s highest threat rating: CVSS 9.8 critical. Remote code execution without authentication means attackers can compromise PeopleSoft PeopleTools from anywhere on the internet. Oracle’s security alert uses language reserved for the most severe exposures, calling mitigation implementation “a high-priority risk reduction measure” and strongly recommending “immediate action.” Your PeopleSoft deployment remains exposed until you apply their workarounds, which Oracle has detailed behind their customer support portal.
Universities Bear Brunt of Student Data Theft
Mandiant confirms higher education represents the majority of breach victims in this campaign.
Mandiant has notified affected organizations while coordinating damage assessment across the compromised systems. ShinyHunters claimed to steal “hundreds of thousands of student records” from at least one university, including full names, addresses, enrollment status, majors, and academic performance data. The group follows a consistent playbook: publish stolen data on leak sites when ransom demands go unpaid. According to Mandiant, “while several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published.”
Pattern Emerges in Enterprise Software Targeting
ShinyHunters systematically exploits shared platforms for maximum victim impact across sectors.
This marks ShinyHunters’ latest campaign targeting organizations through common software vulnerabilities. Over the past year, the group exploited flaws in:
- Salesforce
- Gainsight
- Instructure’s Canvas platform
The strategy mirrors other major breaches: find zero-days in widely deployed enterprise software, then harvest data from dozens of organizations simultaneously.
Oracle’s mitigation guidance emphasizes immediate action while patches remain unavailable. The company’s history suggests network segmentation, access restrictions, and disabling non-essential PeopleTools features provide temporary protection. Back-office systems you never think about hold your most sensitive institutional data, and hackers have figured out exactly where to strike.
