ShinyHunters breached 100+ companies through an unpatched Oracle PeopleSoft zero-day

At a glance:

• Cybercrime group ShinyHunters exploited a critical unpatched Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to breach 100+ organizations globally
• Two-thirds of victims are educational institutions, including the University of Nottingham
• Oracle has not released a patch despite knowing of the exploit since Thursday

What happened

The breach unfolded through a combination of zero-day and legacy vulnerabilities in Oracle PeopleTools versions 8.61 and 8.62. ShinyHunters targeted both cloud-hosted and on-premises instances, compromising approximately 300 servers across 100+ organizations. Google’s Mandiant confirmed the exploited flaw matches Oracle’s disclosed vulnerability and identified over 100 affected entities, primarily in the United States. The attack methodology involved identifying vulnerable systems, exploiting the flaw, and exfiltrating sensitive data containing student records with personally identifiable information (PII) including full names, addresses, dates of birth, GPAs, and student IDs. ShinyHunters published stolen data from compromised institutions on its Data Leak Website after some organizations failed to remediate the vulnerability. The breach follows a pattern of targeting organizations using shared enterprise software, having previously exploited vulnerabilities in Salesforce, Gainsight, and Instructure’s Canvas platform. Earlier this year, Instructure paid ShinyHunters after two breaches, and the group defaced login pages of schools using Canvas. Oracle recommended temporary mitigations but has not provided a timeline for a permanent fix.

Who is affected

The attack disproportionately impacts educational institutions, with 66% of victims being universities and colleges. Notable among them is the University of Nottingham, which confirmed its systems were compromised. Enterprise organizations using Oracle PeopleSoft for payroll, human resources, and student record management also face significant risk. The vulnerability’s internet-facing exploit capability without authentication allows attackers to target exposed systems globally. Organizations that successfully blocked the activity or applied mitigations before data exfiltration avoided compromise, but many institutions remain vulnerable. The breach underscores the systemic risk posed by unpatched zero-days in widely deployed enterprise software. ShinyHunters’ focus on education institutions suggests a strategic shift toward sectors with high data sensitivity and often slower patch cycles. The group’s ongoing campaign indicates no immediate resolution, with Oracle’s lack of a patch timeline exacerbating the risk.

How the exploit works

ShinyHunters leveraged a chain of vulnerabilities, combining a zero-day flaw with older weaknesses in Oracle PeopleTools. The primary exploit, CVE-2026-35273, allows remote code execution without authentication, enabling attackers to gain initial access to vulnerable systems. Once inside, the group escalates privileges using additional vulnerabilities to access sensitive databases. The attack chain targets both cloud and on-premises deployments, highlighting the vulnerability’s broad attack surface. Compromised servers are then used to exfiltrate data, with ShinyHunters publishing stolen records on its leak site to pressure victims into paying ransoms. The group’s tactics mirror previous campaigns, such as the 2023 Instructure breaches, where they defaced login pages to publicly shame institutions. Oracle’s advisory provides mitigation steps, including restricting internet access to PeopleSoft servers and applying interim security configurations. However, without a patch, organizations remain exposed to repeat attacks. The vulnerability’s persistence in unpatched systems creates a window for sustained exploitation, particularly in environments with delayed patch management processes.

The broader implications

This breach highlights the growing threat of industrialized cybercrime targeting enterprise software ecosystems. ShinyHunters’ ability to exploit unpatched zero-days at scale demonstrates how attackers leverage software supply chains to maximize impact. The incident follows a trend where hacking groups identify critical vulnerabilities, map vulnerable organizations, and execute mass breaches before patches are available. Oracle’s delayed patch response amplifies the risk, as the company disclosed the flaw publicly without immediately resolving it. The education sector’s heightened vulnerability reflects broader challenges in securing legacy systems with limited IT resources. ShinyHunters’ focus on universities suggests a strategic shift toward institutions with valuable data and complex IT infrastructures. The breach also underscores the limitations of vulnerability disclosure programs, as organizations may lack the capacity to remediate critical flaws promptly. With AI-driven vulnerability discovery accelerating, defenders face increasing pressure to modernize patch management and adopt proactive security measures.

ShinyHunters’ evolving tactics

The PeopleSoft campaign exemplifies ShinyHunters’ industrialized approach to cybercrime. Over the past year, the group has targeted organizations using shared enterprise software, including Salesforce, Gainsight, and Instructure. Their tactics involve identifying vulnerable systems, exploiting weaknesses, and exfiltrating data for ransom. In previous campaigns, ShinyHunters defaced login pages of schools using Instructure’s Canvas portal, publicly exposing compromised institutions. The group’s demand for ransom payments has led to at least one payment from Instructure earlier this year. The PeopleSoft breach represents their largest campaign to date, with over 300 servers compromised across 100+ organizations. ShinyHunters’ ability to chain vulnerabilities and target both cloud and on-premises instances highlights their adaptability. The group’s focus on education institutions suggests a strategic shift toward sectors with high data sensitivity and often slower patch cycles. Their ongoing campaign indicates no immediate resolution, with Oracle’s lack of a patch timeline exacerbating the risk.

What to watch next

Organizations using Oracle PeopleSoft must prioritize implementing mitigations, including restricting internet access to PeopleSoft servers and applying interim security configurations. Oracle’s delayed patch response raises concerns about its vulnerability management process, particularly for critical software used by universities and enterprises. The cybersecurity community should monitor for potential follow-on exploits targeting unpatched systems. Regulatory scrutiny may increase if affected institutions fail to protect sensitive student data, potentially triggering GDPR or FERPA violations. ShinyHunters’ pattern of targeting shared software ecosystems suggests future campaigns may focus on other widely used platforms, including cloud services and education technology. The group’s industrialized approach to cybercrime underscores the need for improved coordination between software vendors, security researchers, and affected organizations. As AI accelerates vulnerability discovery, defenders must enhance patch management and adopt proactive threat-hunting strategies to close exploitation windows.

The role of AI in cybercrime

The ShinyHunters breach highlights how AI is lowering the barrier to discovering and exploiting vulnerabilities. AI-powered tools can rapidly identify software flaws, map vulnerable systems, and automate attack chains, enabling groups like ShinyHunters to industrialize cybercrime. The group’s ability to exploit a zero-day vulnerability in widely deployed enterprise software demonstrates the growing threat of AI-augmented hacking. While defenders rely on manual patching and reactive security measures, attackers leverage AI to accelerate vulnerability discovery and exploitation. This disparity creates a widening gap between threat actors and defenders, particularly in sectors with limited security resources. The breach also underscores the need for AI-driven security solutions, such as automated patch management and real-time vulnerability scanning. As AI continues to evolve, cybersecurity strategies must adapt to counter increasingly sophisticated and scalable attacks.