The Bottom Line: Improper authentication in Oracle PeopleSoft Enterprise PeopleTools (CVE-2026-35273, CVSS 9.8) enabled unauthenticated remote access and affected versions 8.61 and 8.62.
The hacker group ShinyHunters is exploiting a critical zero-day vulnerability in Oracle PeopleSoft and has reportedly compromised over 100 organizations across approximately 300 vulnerable instances. The attacks began as early as May 2026, before Oracle publicly disclosed the security flaw.
The vulnerability CVE-2026-35273 affects Oracle PeopleSoft Enterprise PeopleTools in versions 8.61 and 8.62, and potentially older, unsupported versions. It carries a CVSS score of 9.8 and enables unauthenticated remote access via HTTP, allowing attackers to execute malicious code and gain full control of servers.
According to Google Mandiant, attacks began on May 27, 2026 and continued at least until June 9, 2026—before Oracle’s emergency advisory on June 10. Approximately 68 percent of the over 100 targeted organizations come from the higher education sector, predominantly in the United States. PeopleSoft is used by large enterprises and institutions to manage human resources, payroll, supply chains, and student data.
The University of Nottingham confirmed unauthorized access to its student registration system. After the university refused ransom demands, ShinyHunters published approximately 40 gigabytes of stolen data online. According to Have I Been Pwned, the data contains roughly 455,000 unique email addresses of students and alumni, as well as full names, phone numbers, postal addresses, passport numbers, and sensitive information regarding ethnicity and disabilities.
Oracle has provided interim safeguards. The vendor strongly recommends administrators disable the Environment Management Hub service or block external access to affected interfaces via firewall until full updates become available.
Source: www.it-daily.net · Published June 12, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.