Oracle PeopleSoft Zero-Day Compromises Over 100 Organizations
Hacker group ShinyHunters exploited Oracle PeopleSoft zero-day CVE-2026-35273, breaching over 100 organizations, including the University of Nottingham, where 40 GB of data was stolen. Google threat intel confirms.
The hacker group ShinyHunters has announced that it exploited an unpatched zero-day vulnerability in Oracle PeopleSoft to infiltrate over 100 organizations. The University of Nottingham has been named as the first victim, with 40 GB of data, including student information and billing records, reportedly leaked. Google’s threat intelligence report also corroborates the attack, with higher education institutions being the primary targets.
According to The Register, ShinyHunters posted the University of Nottingham on its data leak site and released the stolen files on the same day. The university did not engage in negotiations, reportedly due to a rejected ransom demand. A ShinyHunters spokesperson stated, “The University of Nottingham is one of the first publicly confirmed cases. We have just begun contacting affected organizations and are actively seeking agreements.” The group has not specified when data from over 100 other victim organizations will be released.
Google Threat Intel Corroborates
Google’s threat intelligence report supports ShinyHunters’ claims. According to the report, malicious activity consistent with the exploitation of CVE-2026-35273 was observed between May 27 and June 9. Google has notified over 100 global organizations with IP addresses linked to potentially vulnerable endpoints. The majority are based in the United States, with 68% belonging to the higher education sector.
The breadth of the attack suggests it was a broad scanning operation rather than a targeted campaign. PeopleSoft is an ERP system widely used by large organizations such as universities, and its prevalence likely contributed to the scale of the breach.
Oracle’s Response Remains Unclear
Oracle has published a “patch availability document,” but it is unclear whether an effective patch is currently available. This document indicates the status of patch preparation, but there has been no clear announcement regarding the release timeline for an actual fix. Organizations are forced to rely on workarounds and temporary defenses until a permanent solution becomes available.
Detailed technical information about CVE-2026-35273 has not yet been disclosed, but it has been confirmed that ShinyHunters used the vulnerability to infiltrate organizational networks and access databases. It is likely either a remote code execution or authentication bypass vulnerability.
Industry Impact and Remediation Challenges
This incident presents new challenges for managing the security of enterprise ERP systems. PeopleSoft operates as a core system in many universities and government agencies, and a single compromise can have widespread repercussions. Higher education institutions, in particular, face difficulties due to limited security budgets and complex IT environments.
As data protection becomes increasingly critical, the development of encrypted collaboration tools, such as Encrypted Spaces: Signal Co-Founder Builds Encrypted Collaboration Platform, is progressing. However, this incident highlights that vulnerability remediation for core systems remains lagging.
For organizations, urgent measures include thorough network segmentation for unpatched systems, enhanced intrusion detection systems, and the development of incident response plans that account for zero-day breaches. Google has already issued notifications, but not all affected organizations may be aware.
Editorial Opinion
Short-Term Impact: Over the next three to six months, groups mimicking ShinyHunters’ attack methods are likely to increase. Once technical details of CVE-2026-35273 become public, more attackers will search for targets. Higher education institutions should be especially vigilant, with enhanced network monitoring and system audits recommended for a period. If Oracle’s patch delivery is delayed, the damage could expand further.
Long-Term Perspective: This incident serves as a catalyst to re-evaluate the security governance of large-scale ERP systems. It underscores the severe business impact of the time lag between zero-day discovery and patch deployment. In the long term, migration to cloud-native architectures and standardization of vulnerability management across the supply chain are expected. Organizations with complex systems, such as universities, may need to mandate regular security assessments and incident response drills.
Editorial Question: How long will Oracle take to provide a patch? And why does the corporate culture of leaving “known unpatched vulnerabilities” persist, as exposed by this attack? Should user organizations intensify pressure on ERP vendors for transparency in vulnerability disclosure and patch deployment? This incident renews the question of accountability in enterprise software.
References
Frequently Asked Questions
- Are the details of the CVE-2026-35273 vulnerability publicly available?
- Currently, specific technical information has not been released. We must await further analysis by security researchers or the publication of an official advisory from Oracle.
- How did ShinyHunters select targets?
- They are believed to have scanned internet-exposed PeopleSoft endpoints and automatically identified vulnerable systems. Given that Google's notifications spanned over 100 organizations, the attack was likely a broad scan-based operation.
Comments