Oracle on 10 June 2026 issued an out-of-band Security Alert for CVE-2026-35273, a critical vulnerability in PeopleSoft Enterprise PeopleTools that was already being exploited in the wild before the fix existed. The flaw carries a CVSS 3.1 base score of 9.8: it is remotely exploitable over the network, requires no authentication and no user interaction, and can lead to remote code execution. According to Oracle's advisory, it sits in the Updates Environment Management component and affects PeopleTools versions 8.61 and 8.62, with PeopleSoft Enterprise Applications customers also potentially exposed. Oracle released emergency mitigations and directed customers to its patch-availability documentation; organisations running affected versions should treat remediation as urgent rather than waiting for a routine cycle.
The severity is compounded by the timing. Oracle's own alert does not discuss exploitation, but Mandiant — now part of Google Cloud — and the Google Threat Intelligence Group reported observing in-the-wild exploitation of the flaw as a zero-day between 27 May and 9 June, predating the advisory by roughly two weeks. Mandiant CTO Charles Carmakal publicly warned that the vulnerability was being used in data-theft attacks. In other words, by the time the alert landed, attackers had been able to target internet-facing PeopleSoft systems for nearly a fortnight.
What the flaw is, and why PeopleSoft is a high-value target
CVE-2026-35273 was reported to Oracle through the Zero Day Initiative of TrendAI (Trend Micro's enterprise business), with Oracle's advisory crediting researchers including Bobby Gould; TrendAI has characterised the underlying weakness as a server-side request forgery. The practical risk is straightforward: an unauthenticated attacker reaching an exposed PeopleSoft endpoint over HTTP can attempt to run code on the server, with high impact to confidentiality, integrity and availability.
PeopleSoft matters here because of what it holds. It is an enterprise resource-planning suite that large organisations — universities prominent among them — use to run human resources, payroll, finance, procurement and campus administration. A single exploitable flaw in that layer does not expose one application; it exposes the system of record for an institution's people and money. That is the kind of data an extortion-focused group wants.
The campaign: attributed to ShinyHunters, with a claim of 100-plus victims
Google and Mandiant attributed the exploitation activity to ShinyHunters, a financially motivated extortion group that Google tracks as UNC6240, and said the campaign concentrated on the education sector. In its own report, Google said it notified more than 100 global organisations whose IP addresses correlated with potentially vulnerable endpoints; most were based in the United States, and 68 percent were in the higher-education sector. Several organisations blocked or remediated the activity, while others were compromised and had data published on the group's leak site. Separately, people claiming affiliation with ShinyHunters told security media they had compromised roughly 300 PeopleSoft instances across more than 100 organisations, combining the zero-day with older known flaws. That 300-instance figure remains the group's own claim; it has not been independently confirmed, and the full victim count is not established.
What the attackers reportedly do after gaining access follows a familiar extortion pattern: enumerate internal systems, move laterally, prioritise stealing data, and then leave ransom notes demanding payment under threat of publication. Defenders do not need the attackers' tooling details to act on this — the relevant point is that exploitation is for data theft and extortion, so the response has to assume exfiltration may already have occurred, not merely patch and move on.
The confirmed impact: University of Nottingham
The University of Nottingham is the first named victim in public reporting linked to the campaign. The university confirmed that its student-records system had been accessed without authorisation, said it had reported the incident to the UK Information Commissioner's Office and to Action Fraud, and stood up a dedicated support line for those affected. The university has not publicly attributed the breach to any particular group.
ShinyHunters claimed responsibility and posted sample files on its dark-web leak site as proof, asserting it had taken more than 40GB of data spanning Nottingham's UK, Malaysia and China campuses. Breach-notification reporting citing Have I Been Pwned's analysis put the affected population at roughly 454,600 current and former students, with exposed fields including names, home addresses, phone numbers, email addresses, dates of birth, ethnicity and disability information, passport numbers, and academic-enrolment and fee-payment records. The combination of identity documents, contact details and financial data in one place creates a sustained risk of identity fraud and targeted phishing for those affected, well beyond a simple password leak. Additional fields claimed by the attackers — such as credit-card and student-finance specifics — should be treated as alleged unless confirmed by Nottingham or an independent dataset analysis.
For context, UK higher education has been under unusual pressure: the University of Oxford disclosed a breach in the same period. That incident is a separate matter — it affected the third-party careers platform CareerConnect, run by provider Group GTI, exposed names, email addresses and (for non-single-sign-on users) encrypted passwords, and Oxford said there was nothing to suggest ransomware. It is not the PeopleSoft flaw and not part of the same campaign, and is mentioned only to show the breadth of activity against the sector.
What to do now
The action set is unambiguous. Apply Oracle's mitigations for CVE-2026-35273 immediately on PeopleTools 8.61 and 8.62, and consult Oracle's patch-availability document for the latest fix status; organisations on older, unsupported versions should assume potential exposure and prioritise upgrading. Because exploitation ran from at least 27 May, patching alone is insufficient — affected operators should hunt for signs of prior compromise rather than assume a clean system, reviewing logs for unexpected connections to internet-facing PeopleSoft endpoints over the exploitation window, checking for unauthorised accounts or files, and treating any confirmed access as a potential data-theft incident with the corresponding breach-response and notification obligations. Where exposure is uncertain, temporarily restricting internet access to PeopleSoft until investigation and hardening are complete is a reasonable precaution.
Key Takeaways
CVE-2026-35273 is a CVSS 9.8, unauthenticated, network-exploitable remote-code-execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62; Oracle issued an out-of-band alert with mitigations on 10 June 2026.
Mandiant (Google Cloud) and the Google Threat Intelligence Group confirmed in-the-wild zero-day exploitation between 27 May and 9 June 2026 — about two weeks before the advisory — so patching alone is not enough; hunt for prior compromise.
Google and Mandiant attributed the data-theft campaign to the extortion group ShinyHunters (tracked as UNC6240); Google notified 100-plus organisations with exposed endpoints, 68 percent of them in higher education. ShinyHunters' own claim of ~300 instances is unverified.
The University of Nottingham is the first named victim in public reporting linked to the campaign; it notified the ICO and Action Fraud and has not itself named a group. Breach-notification reporting citing Have I Been Pwned's analysis put about 454,600 people affected, with passports, demographics and enrolment/fee records among the exposed data.
A separate Oxford breach in the same period (the GTI-run CareerConnect platform) is unrelated to the PeopleSoft flaw — included only to show the pressure on the UK education sector, not as part of this campaign.
View author profile → · Editorial policy
