ShinyHunters exploit Oracle zero-day to breach more than 100 organisations, hitting universities hardest

The cyber-extortion group known as ShinyHunters has compromised more than 100 organisations by exploiting a previously unknown flaw in Oracle's widely used PeopleSoft enterprise software, with universities bearing the brunt of the campaign. The breach is among the most significant supply-chain style incidents of the year, exposing the dependence of large institutions on a single piece of back-office software and the speed with which a single vulnerability can be turned into a sprawling data theft.

The vulnerability, catalogued as CVE-2026-35273, is a remote code execution bug in PeopleSoft Enterprise PeopleTools that carries a severity score of 9.8 out of 10. Security researchers warn that it can be exploited over the network without any login or user interaction, allowing attackers to take control of an affected server. Flaws of this nature are the most prized of all, because they require no credentials, no phishing and no insider access; an exposed system facing the internet is enough.

PeopleSoft is a mainstay of administration at large organisations, used to manage human resources, finance, student records and payroll. Its ubiquity in higher education helps explain why universities were hit hardest, and why the consequences of the campaign reach into the personal data of staff and students who may have had no idea their institution relied on the software.

A zero-day for weeks

Investigators at Google's Mandiant, who track the group as UNC6240, dated the malicious activity to between 27 May and 9 June. Oracle did not publish its advisory until 10 June, meaning the flaw was an unpatched zero-day throughout the attack window. The company subsequently issued an out-of-band security alert urging customers to apply the fix without delay.

The term zero-day refers to a vulnerability that is exploited before the vendor has released a patch, leaving defenders with no official remedy. In this case the gap between the start of the attacks and the publication of a fix gave the group close to two weeks of largely unobstructed access, ample time to identify vulnerable installations, establish a foothold and extract large volumes of data.

Reporting indicates that the campaign reached roughly 300 vulnerable installations, with the higher-education sector accounting for the majority of victims. The scale suggests an automated or semi-automated approach in which the attackers scanned the internet for exposed PeopleSoft systems and exploited them in bulk, rather than targeting a single high-value organisation.

Data published after refusal to pay

ShinyHunters has built a reputation as a financially motivated group that combines data theft with public pressure, naming victims on a leak site and threatening to release stolen files unless a ransom is paid. The strategy is designed to maximise leverage: organisations face not only the operational disruption of a breach but the reputational damage of seeing sensitive records exposed.

• The attackers stole data and demanded payment to keep it private
• The University of Nottingham was named on the group's leak site
• Around 40GB of personal and billing records were reportedly taken
• Stolen files were published after the demand was apparently refused
• Roughly 300 vulnerable installations were reached, mostly in higher education

“When a critical, unauthenticated flaw sits in software this widely deployed, the window between discovery and patching is everything. Attackers will always move faster than defenders expect.”

— A cybersecurity researcher familiar with the campaign

The University of Nottingham was among the institutions named publicly, with the attackers claiming to have taken around 40GB of personal and billing records. After the demand was apparently refused, stolen files were published, a tactic intended both to punish the victim and to warn others against resisting future demands.

Background

ShinyHunters has been linked to a string of high-profile breaches in recent years, frequently exploiting weaknesses in enterprise software and cloud services. The group has shown a consistent pattern of mass exploitation followed by extortion, a model that has proved lucrative across multiple sectors. Its activity sits within a broader rise in attacks against the software that organisations rely on for core operations, where a single flaw can cascade across hundreds of customers.

Universities are a recurring target for such campaigns. They hold rich stores of personal data, operate sprawling and sometimes ageing IT estates, and must balance security against the openness expected of academic institutions. Constrained budgets and decentralised systems can leave gaps that well-resourced attackers are quick to find.

What happens next

Administrators running PeopleSoft are being advised to apply Oracle's patch as a matter of urgency and to review their systems for signs of compromise dating back to late May. Because the attackers had access for an extended period, simply patching the flaw is not enough; affected organisations must hunt for any persistence the group may have left behind and assess exactly what data was taken. Regulators and affected individuals are likely to scrutinise how breached institutions respond, and the episode is certain to renew pressure on organisations to reduce their exposure of critical systems to the open internet.