Oracle has issued an out-of-band patch for a remote code execution (RCE) zero-day vulnerability affecting its PeopleSoft Enterprise PeopleTools product that is being exploited in a rapidly-spreading ShinyHunters campaign.
Tracked as CVE-2026-35273, the vulnerability is known to be remotely exploitable without authentication, posing a serious risk to unpatched environments.
“We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure,” noted Oracle.
“Oracle always recommends that customers remain on actively-supported versions and apply all Critical Patch Updates, Critical Security Patch Updates and Security Alerts without delay.”
UK university confirms breach via Oracle
The vulnerability is already known to have been used in a developing cyber attack on the University of Nottingham.
According to the ongoing forensic investigation, the University was breached via a vulnerability in Oracle WebLogic – which is a server platform used to develop, deploy and run Java applications that forms a key part of the PeopleSoft Internet Architecture.
In contact with Bleeping Computer, ShinyHunters claimed to have stolen 40GB of data relating to 450,000 students past and present. The data is believed to comprise full names, birthdates and contact details, financial data related to their studies, information on characteristics such as ethnicity or disability, and passport data.
In a statement earlier today (12 June), a University spokesperson said: “Our investigation into this incident is continuing, and this matter has now become a criminal investigation, with police involved alongside ongoing forensic work.
“We are continuing to work closely with cyber security specialists and regulatory authorities to understand the scope of the data accessed and to ensure our system remains secure. We know how concerning this situation is and as soon as we have more definitive information to share, we will provide a further update,” they added.
The University has established a dedicated web page and contact phone lines for affected individuals.
According to the Google Threat Intelligence Group and Mandiant, ShinyHunters began exploiting CVE-2026-35273 a few weeks ago, on 27 May.
GTIG said that upon becoming aware of active scanning and exploitation, it notified over 100 organisations with IP addresses correlating with potentially at-risk endpoints, 68% of them in the higher education sector.
Public reports obtained via social media platform X has subsequently enabled its team to piece together a detailed breakdown of ShinyHunters’ campaign, which can be found here.
Education in the crosshairs
Since the summer of 2025, various ShinyHunters campaigns have targeted multiple different verticals, with the group favouring mass compromise of software products used by similar organisations.
Over the past couple of months, the collective has been targeting education institutions specifically, and the PeopleSoft attacks follow swiftly on the heels of its April compromise of Infrastructure’s Canvas learning management system.
In that instance, ShinyHunters claimed to have exfiltrated 3.65 TB of data comprising 275 million records from almost 9,000 different institutions.
The danger in the exposure of highly sensitive data relating to children and students lies not just in the situation in which ShinyHunters’ victims find themselves, but in the potential for other threat actors to conduct personalised downstream attacks against individuals.
Keven Knight, CEO of Talion, said: “Now that this data has been compromised, students and alumni must be vigilant for phishing scams as this is likely the route the attackers will take to monetise from the incident, if their ransom demand is not met.”
