ShinyHunters exploits critical PeopleSoft zero-day to extort higher education sector
With Oracle yet to release a full patch, security firms warn of significant data theft and active extortion campaigns against universities and other institutions.
The ransomware collective ShinyHunters has exploited a critical zero-day vulnerability in Oracle’s PeopleSoft software suite to compromise approximately 100 organisations and around 300 endpoints. The attack, centred on server-side request forgery flaw CVE-2026-35273, has resulted in the theft of gigabytes of data and active extortion attempts against victims. Google’s Mandiant security team confirmed that the group has been leveraging the vulnerability since 27 May 2026, with exploitation continuing for more than two weeks before Oracle publicly flagged the issue.
CVE-2026-35273 carries a severity rating of 9.8 out of 10, making it one of the most critical vulnerabilities exploited this year. The flaw allows attackers to send requests from a susceptible server to internal systems used by the targeted organisation. While Oracle has issued a stopgap mitigation, a full patch has not yet been released. Mandiant and Rapid7 are currently advising PeopleSoft customers on immediate remediation steps, noting that the group’s success rate warrants urgent attention from all users of the software.
The higher education sector has been disproportionately affected, with approximately 68 percent of the targeted organisations operating within this space. The University of Nottingham confirmed on Wednesday that it was among the victims, disclosing that a significant amount of student data had been compromised. The university’s confirmation followed ShinyHunters’ claim of responsibility and the publication of stolen data on its data leak site (DLS).
Investigative analysis by Mandiant revealed that attackers left behind a staging server containing attack tools and a bash script used for reconnaissance. The script mapped PeopleSoft configurations, viewed process scheduler details, and examined WebLogic server XML configurations. Threat actors subsequently established an outbound SSH connection to IP address 176.120.22.24, which hosts their DLS, after compressing stolen data using the zstd tool. The DLS claimed to have recovered 48GB of data from a single victim.
ShinyHunters has been active since at least 2019 and has executed scores of hacks against major global companies, including Ticketmaster, Santander, and Salesforce. The group utilises a variety of initial access techniques, such as exploiting cloud misconfigurations, stealing OAuth tokens, and employing social engineering. As of Wednesday, the group had extorted at least one organisation, threatening to leak stolen data unless payment was made.
