Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 12, 2026 · 7 min read

Oracle PeopleSoft Zero Day Exploited by ShinyHunters

Oracle shipped emergency mitigations on June 11 for CVE-2026-35273 after ShinyHunters claimed 300 compromised PeopleSoft instances across more than 100 organizations — HR and payroll data is the prize.

Oracle pushed emergency mitigations on June 11 for a critical PeopleSoft zero day that attackers were already using to loot HR and payroll systems. The flaw, tracked as CVE-2026-35273, lets an unauthenticated attacker run code on PeopleSoft servers remotely — no password, no phishing email, no insider required. The ShinyHunters extortion gang claims it has already compromised 300 instances across more than 100 organizations, according to BleepingComputer. For a group that spent the first half of 2026 talking its way into Salesforce environments over the phone, jumping to zero day exploitation is a serious escalation.

Key Takeaways

  • CVE-2026-35273 is a CVSS 9.8 unauthenticated remote code execution flaw in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62, per Oracle's June 11, 2026 security alert.
  • ShinyHunters claims to have breached 300 PeopleSoft instances across more than 100 organizations, with 68% of victims in the education sector.
  • Nottingham University has been confirmed as a victim, with staff salary data and personal information on over 450,000 individuals published to the gang's leak site.
  • Oracle released mitigations on June 11 but a full patch was still pending at the time of disclosure, leaving exposed servers reliant on access restrictions and log monitoring.
  • Stolen PeopleSoft data — salaries, bank details, employee emails — is the raw material for payroll diversion fraud, a scam the FBI says grew 815% in just 18 months.

What Is CVE-2026-35273?

CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft PeopleTools 8.61 and 8.62 that allows unauthenticated remote code execution, scoring 9.8 out of 10 on the CVSS scale. An attacker who can reach a vulnerable PeopleSoft endpoint over the network can execute arbitrary code on the server without supplying any credentials, as detailed in BleepingComputer's report on Oracle's mitigations.

Two details make this worse than the average critical CVE. First, it was exploited in the wild before Oracle had anything to offer defenders — the textbook definition of a zero day. Second, Oracle's June 11 advisory shipped mitigations, not a patch. Administrators were told a fix was coming "soon," which means every internet exposed PeopleSoft instance sat in a window where the only defenses were access restrictions and vigilance.

Mandiant, which identified the active scanning and exploitation, notified more than 100 organizations that their systems showed signs of compromise. That outreach happened before most victims knew anything was wrong.

How Did the Attackers Get In?

The intrusions didn't rely on CVE-2026-35273 alone. ShinyHunters chained the zero day together with older, known PeopleSoft flaws — what researchers describe as a "gadget chain" — to achieve reliable code execution across differently configured environments. The attackers themselves noted that success varied by system configuration, which explains the chained approach: if one link failed, another picked up the slack.

Once inside, the playbook was standard post exploitation tradecraft. Researchers found compromised servers hosting custom MeshCentral remote management agents for persistence, plus defacement scripts and credential spraying tools staged in exposed directories. Stolen credentials fueled lateral movement deeper into victim networks. Security researcher Michael R, who discovered the exposed attacker infrastructure, noted that the directories revealed "ongoing targeting of PeopleSoft environments."

Seven malicious IP addresses have been tied to the campaign: the range 142.11.200[.]186 through 190, plus 108.174.202[.]99 and 176.120.22[.]24. Any PeopleSoft administrator should be grepping connection logs for those addresses today.

Enterprise server room with a glowing red breach indicator on one rack, representing the actively exploited PeopleSoft zero day

Why Is PeopleSoft Such a Valuable Target?

PeopleSoft is the system of record for human capital at thousands of enterprises, government agencies, and universities. A single instance typically holds Social Security numbers, salary histories, bank account details for direct deposit, home addresses, and employee email directories. Universities layer student records on top of that.

The victim data backs this up: 68% of affected organizations are in education, a sector that runs PeopleSoft heavily and patches slowly. Nottingham University, the first confirmed victim, had staff salary data and personal information covering more than 450,000 individuals dumped on the ShinyHunters leak site — a population roughly the size of Miami, exposed through one HR system.

Here's the implication most coverage skips: an HR system breach is upstream of every other attack. Stolen retail data gets you names and emails. Stolen HR data gets you names, emails, exact salaries, bank routing details, manager relationships, and hire dates — everything needed to impersonate a payroll department convincingly. The FBI's Internet Crime Complaint Center has long tracked how this data class converts directly into fraud, and PeopleSoft is one of the densest concentrations of it anywhere.

How Does This Fit ShinyHunters' 2026 Campaign?

This is ShinyHunters' third distinct playbook this year, and each one has required less human interaction than the last. The group opened 2026 with voice phishing — calling employees, impersonating IT, and harvesting SSO credentials. That campaign hit Charter Communications for 4.9 million customer accounts and ran through victims including Pitney Bowes (8.2 million email addresses), Hallmark (8 million records), Canada Life (5.6 million records), and Panera Bread, where roughly 5 million people were affected.

The second playbook exploited misconfigured Salesforce Experience Cloud guest profiles, which Salesforce warned about in March. Across all 2026 campaigns, trackers attribute breaches of 40+ organizations and data on over 400 million people to the group.

Vishing requires a persuasive caller and a careless employee. Misconfiguration hunting requires a target's mistake. A zero day requires neither. Whether ShinyHunters developed CVE-2026-35273 in house or bought it, the group now operates with capabilities that were, until recently, associated with state backed actors — aimed squarely at extortion.

What Should Defenders Do Right Now?

Oracle's mitigation guidance is the immediate priority while the full patch lands. The concrete steps from the advisory and incident reporting:

  • Restrict network access to vulnerable PeopleSoft endpoints. If an instance doesn't need internet exposure, remove it now.
  • Audit logs for suspicious requests to /PSEMHUB/ and /PSIGW/HttpListeningConnector, the endpoints abused in the attack chain.
  • Hunt for persistence: unexpected .jsp webshells, unauthorized binaries, suspicious directories, and any MeshCentral agents the organization didn't deploy.
  • Check for the seven known IOC addresses in firewall and proxy logs going back several weeks — Mandiant's notifications suggest exploitation predates the advisory.
  • Rotate credentials that PeopleSoft service accounts or admins used, since stolen credentials enabled lateral movement in confirmed intrusions.

Compliance teams have a parallel clock running. HR data of this sensitivity triggers breach notification duties under GDPR's 72 hour rule and most US state laws, and education victims may face additional obligations under FERPA.

Why Email Users Should Care

If your employer or university runs PeopleSoft, the contents of your HR file may now be in extortionists' hands — and the follow on attacks will arrive by email. Payroll diversion fraud works precisely because the scammer knows things only HR should know. An email that cites your real salary, your real manager, and your real last pay date doesn't read like phishing. It reads like payroll.

The economics are well documented. The FBI's IC3 reported that payroll diversion losses grew 815% in the 18 months through mid-2019, averaging $7,904 per complaint, and the broader business email compromise category hit $2.77 billion in US losses in 2024 alone — $55.5 billion cumulatively. Every record stolen in this campaign is an input to that machine.

Practical defenses for the next six months: treat any email about direct deposit changes, payroll verification, or "HR portal updates" as hostile until verified through a separate channel. Call HR using a number from the intranet, not the email signature. And if you receive a breach notification referencing PeopleSoft, assume the spear phishing that follows will be unusually convincing — because the attackers are working from your actual employment record.

Looking Ahead

Oracle's full patch for CVE-2026-35273 should be treated as a same day deployment when it ships, not a next maintenance window item. The larger story is ShinyHunters' trajectory: from phone calls, to misconfigurations, to zero days in under six months. Groups that profit at this scale reinvest, and ERP platforms — dense with regulated data, slow to patch, often internet exposed — are exactly where that investment pays off. PeopleSoft administrators got their warning on June 11. The next Oracle advisory may not come with one.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.