A cybercriminal campaign linked to the ShinyHunters threat group has exposed a serious security weakness in Oracle PeopleSoft, one of the most widely used enterprise platforms across universities and large organizations. Security researchers revealed that attackers were exploiting a previously unknown vulnerability before Oracle released a fix, turning the issue into a dangerous zero-day attack.
The vulnerability, identified as CVE-2026-35273, affects Oracle PeopleSoft PeopleTools and received a critical CVSS score of 9.8. The flaw allows remote code execution without authentication, enabling attackers to compromise vulnerable servers directly from the internet without requiring valid credentials or user interaction.
Researchers observed exploitation activity between late May and early June, several days before Oracle publicly disclosed the vulnerability and released security updates. This gave threat actors a valuable opportunity to target exposed systems while organizations remained unaware of the risk.
The attacks primarily targeted higher education institutions. Universities rely heavily on PeopleSoft for managing student records, financial aid, payroll, human resources, admissions, and administrative operations. Security analysts identified more than one hundred potentially exposed organizations, with the majority belonging to the education sector.
During the intrusions, attackers deployed remote management tools disguised as legitimate cloud services. These tools enabled persistent access, remote command execution, and lateral movement across compromised environments while reducing the likelihood of detection. Such tactics are commonly associated with modern data theft and extortion operations.
ShinyHunters has built a reputation for targeting organizations that store large volumes of sensitive information. The group is frequently linked to high-profile data breaches and extortion campaigns in which stolen information is used as leverage to pressure victims into paying ransoms.
The incident serves as another reminder that universities remain attractive targets for cybercriminals. Educational institutions often manage extensive databases containing personal, academic, financial, and employment information, making them valuable sources of data for attackers.
Organizations running Oracle PeopleSoft are being urged to apply security updates immediately, review logs for indicators of compromise, restrict unnecessary external access, and investigate any unusual administrative activity. Security teams should also assess whether unauthorized access may have occurred before patches were deployed.
As cybercriminal groups continue to exploit zero-day vulnerabilities at an increasing pace, reducing patch deployment times and improving threat detection capabilities have become critical defenses. The PeopleSoft attacks demonstrate how even a short window between vulnerability discovery and remediation can provide attackers with enough time to compromise large numbers of organizations and gain access to highly sensitive data.