Google has confirmed that a PeopleSoft vulnerability mitigated by Oracle this week has been exploited by ShinyHunters as a zero-day to steal data from organizations.
Oracle has released an out-of-band advisory and security alert for CVE-2026-35273, a critical unauthenticated remote code execution vulnerability impacting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as PeopleSoft Enterprise Applications.
The software giant has released mitigations, but patches do not appear to be available.
PeopleSoft is an ERP software suite used by many large organizations to manage a wide range of business functions, including HR, payroll, finance, supply chain, and campus operations.
While the solution is used across many industries, the ShinyHunters campaign exploiting CVE-2026-35273 appears to have focused on the education sector. The University of Nottingham in the UK is the first confirmed victim.
Mandiant and Google Threat Intelligence Group (GTIG) reported observing activity associated with the exploitation of the PeopleSoft zero-day between May 27 and June 9. The attacks have been attributed to ShinyHunters, which Google tracks as UNC6240.
Google’s researchers notified more than 100 global organizations of potential exposure, the majority of which are based in the US, with 68% in the higher education sector.
The tech giant said some of the targets blocked the attack, but others had their systems compromised and data stolen.
ShinyHunters claims to have targeted roughly 300 PeopleSoft instances belonging to 100 organizations.
“The attacker staging environments hosted customized MeshCentral agents masquerading as legitimate cloud endpoints, which they used to run administrative command queries and deploy a custom lateral movement and defacement script, [victim_abbreviation]_fanout.sh,” Mandiant and GTIG explained. “This campaign directly correlates with subsequent data leaks of stolen organization data published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.”
Google has shared remediation and hardening recommendations, as well as technical details on the attacks and indicators of compromise (IoCs).
Oracle has not responded to SecurityWeek’s inquiry regarding exploitation.
TrendAI (Trend Micro’s enterprise business), whose researchers have been credited by Oracle for reporting CVE-2026-35273, told SecurityWeek that it’s currently seeing limited exploitation of the vulnerability, but its investigation is ongoing.
Related: CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk
Related: Hackers Exploit Langflow Vulnerability for Remote Code Execution
