ShinyHunters exploited Oracle PeopleSoft flaw to breach 100+ organizations including universities

The ShinyHunters ransomware group exploited a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft software to breach about 100 organizations across various sectors, affecting roughly 300 endpoints, according to security reports ^{[1, 2, 3]}.

The vulnerability, classified as a Server Side Request Forgery (SSRF), allowed remote attackers to manipulate PeopleSoft servers. It carried a high severity rating of 9.8 out of 10 and was actively exploited from May 27 until June 9, before Oracle issued a security advisory addressing the flaw on June 10 ^{[1, 3]}.

The group targeted mostly higher education institutions, accounting for 68% of the victims. One confirmed victim, the University of Nottingham, publicly acknowledged a significant student data breach due to the attack ^[1].

ShinyHunters exfiltrated sensitive student and administrative data including home addresses, phone numbers, emails, and birth dates. A member of the group stated, "Student, applicant, financial aid, immigration, health, and administrative data has been exfiltrated" ^[2].

In addition to stealing data, the attackers demanded ransom payments and used threats to leak stolen information. They operated from a staging server loaded with tools to further infiltrate and control victim networks ^{[1, 3]}.

ShinyHunters is known for international ransomware campaigns targeting large enterprises and educational institutions to carry out mass data theft and extortion ^{[1, 3]}.

Oracle's public advisory on June 10 outlined stopgap mitigations while urging customers to patch the critical SSRF vulnerability against ongoing exploitation ^[3]. The University of Nottingham confirmed the breach the same day, adding urgency for other organizations to secure their PeopleSoft servers ^[1].