Over 100 Organizations Breached Through Oracle PeopleSoft Vulnerability in 2026

ShinyHunters exploited a critical Oracle PeopleSoft flaw for two weeks before a patch existed, compromising 300+ instances across universities and government entities.

Yes, more than 100 organizations fell victim to a critical vulnerability in Oracle PeopleSoft during the first half of 2026. The ShinyHunters extortion group compromised over 300 instances of the software across these organizations by exploiting CVE-2026-35273, an unauthenticated remote code execution flaw with a CVSS severity score of 9.8. The breach campaign ran from May 27 through June 9, 2026, before Oracle issued its security advisory on June 10. The University of Nottingham stands as a stark example of the breach’s scope and impact.

The institution confirmed that approximately 455,000 unique email addresses were leaked, belonging to current students, alumni, and staff. Beyond email addresses, the exposed records contained names, residential addresses, phone numbers, passport numbers, ethnicity data, and disability information—the kind of personally identifiable information that can enable identity theft and targeted fraud for years. The vulnerability’s significance lies not just in its technical severity, but in the fact that attackers exploited it for roughly two weeks as a zero-day flaw, meaning no publicly available patch existed to protect vulnerable organizations. This window allowed ShinyHunters to establish persistent access to dozens of PeopleSoft deployments before defenders even knew an active threat existed.

Table of Contents

How Many Organizations Does a Single PeopleSoft Vulnerability Reach?

The scale of organizational exposure illustrates a critical reality about enterprise software: a single vulnerability can cascade across entire sectors almost simultaneously. ShinyHunters claims to have compromised more than 300 PeopleSoft instances across more than 100 distinct organizations, according to evidence analyzed by Mandiant and confirmed through advisory channels. This is not a small breach affecting a handful of companies. The attacker group deployed a coordinated, multi-phase campaign that systematically targeted PeopleSoft deployments across geography and sector boundaries. PeopleSoft’s market position amplifies the risk.

The platform handles human resources, payroll, financial management, and student information systems for thousands of organizations worldwide. When a single authentication bypass or remote code execution flaw surfaces in such widely deployed software, the blast radius extends from private companies to government agencies to educational institutions. The 100+ organizations affected in this 2026 campaign represent only those that either discovered the breach or that the attacker chose to publicly claim—the actual exposure may be significantly broader. The commercial impact extends beyond the immediate victims. Organizations that discovered they were targeted had to notify customers, regulators, and affected individuals. Those that patched quickly avoided the worst outcomes; those that delayed or remained unaware faced persistent attacker presence, data exfiltration, and potential lateral movement to connected systems.

Understanding CVE-2026-35273 and Why Its Severity Rating Matters

CVE-2026-35273 is classified as a critical unauthenticated remote code execution vulnerability affecting Oracle PeopleTools. The CVSS 3.1 severity score of 9.8 places it in the highest risk category—a score that reflects not just the ability to execute arbitrary code, but the absence of any authentication requirement to trigger it. An attacker does not need valid credentials, multi-factor authentication bypass, or social engineering. The flaw allows code execution over a network with minimal attack complexity. For context, a CVSS 9.8 ranking sits just below the theoretical maximum of 10.0 and represents a threat that demands immediate patching across any organization running the affected software versions. The unauthenticated aspect is the critical distinguishing factor.

Many remote code execution flaws require attackers to first obtain legitimate access or trick a user into performing an action. CVE-2026-35273 removes this barrier, making it accessible to any attacker who can reach the vulnerable PeopleSoft instance over the network. The limitation in Oracle’s initial response was the timing of the advisory. Oracle did not issue its out-of-band security alert until June 10, 2026, well after active exploitation had already begun. This delay meant that organizations relying on vendor advisories to trigger security updates had no warning during the critical exploitation window. Some organizations may not have discovered the breach until weeks or months later, long after attackers had exfiltrated sensitive data.

Distribution of Breached Organizations by SectorUniversities and Colleges68%Other Organizations32%Source: Mandiant data

The Two-Week Zero-Day Exploitation Window and Its Consequences

The timeline of this incident reveals a uncomfortable gap between attack and defense. ShinyHunters actively exploited CVE-2026-35273 from May 27 through June 9, 2026—a 13-day period during which the vulnerability had no public disclosure and no official patch from Oracle. During these two weeks, every compromised PeopleSoft instance became an entry point for data theft, lateral movement, and potential long-term persistence. Zero-day exploitation windows like this one determine how much damage an attacker can inflict before the security community mobilizes. In the early days of exploitation, defenders have no indicator of compromise to look for, no detection signatures, and no patched version to deploy.

Organizations cannot even know they are targeted until the attacker reveals themselves—either by making mistakes that trigger alerts, by demanding ransom, or by publishing stolen data. In this case, ShinyHunters eventually disclosed their claims publicly, forcing affected organizations to investigate and discover the breach. The Oracle advisory on June 10 was reactive rather than proactive. By that date, attackers had already moved through hundreds of instances and exfiltrated records from major educational institutions. The advisory addressed the vulnerability for future defenders but could not undo the compromise of organizations that had already been breached. Organizations with robust threat hunting and security monitoring discovered the issue faster; those without such capabilities remained vulnerable during the post-advisory period as they awaited testing windows and change management approvals for patching.

Why Universities and Colleges Became the Primary Targets

Mandiant data indicates that 68 percent of the more than 100 notified organizations were universities and colleges. This concentration in the higher education sector reveals both a technical reality and an attacker preference. Universities and colleges run PeopleSoft instances to manage student information systems, payroll, human resources, and financial operations. They are heavy users of the platform, and many run older versions due to the complexity and cost of upgrading enterprise software. Educational institutions also hold data that has high value in fraud and identity theft ecosystems. Student records contain names, addresses, dates of birth, Social Security numbers, and increasingly, biometric identifiers and passport information.

Alumni records extend the data’s value across decades. A breach of a university’s PeopleSoft system exposes not just currently enrolled students but also thousands of graduates whose data the institution has retained. This long-tail exposure makes educational data more valuable than payroll or HR records at private companies, where employee tenure is measured in years rather than decades of tracking after graduation. The education sector also faces resource constraints that make rapid patching difficult. Many universities maintain tight IT budgets and complex approval processes for system changes. A critical patch to PeopleSoft may require testing against dozens of dependent applications, scheduling maintenance windows during low-usage periods, and coordinating across distributed IT teams. This institutional inertia creates a window of vulnerability that extends weeks or months after a patch becomes available—precisely the window ShinyHunters exploited.

The Scope of Exposed Data and Implications for Victims

The University of Nottingham breach revealed the granular sensitivity of information stored within PeopleSoft student information systems. The 455,000 exposed records included not just names and contact information but ethnicity data, disability status, passport numbers, and residential addresses. This combination of data points enables sophisticated identity fraud, targeting, and potential discrimination. A criminal with access to this dataset can initiate credit accounts in victims’ names, apply for government benefits, or sell the data to other threat actors. PeopleSoft implementations store this type of sensitive data because educational institutions genuinely need it for their operations—visa sponsorship requires passport information, accessibility services require disability status, and diversity reporting requires demographic data.

However, the storage of this information creates a concentration of sensitive data that becomes catastrophically valuable if compromised. Organizations often cannot simply minimize what they collect without disrupting legitimate services, which creates a permanent tension between functionality and risk. The broader implication extends to regulatory exposure. Breaches involving sensitive personal data, particularly those affecting educational records or involving minors, trigger notification requirements under state data protection laws, FERPA (the Family Educational Rights and Privacy Act), and potentially international regulations like GDPR if alumni reside in the European Union. The University of Nottingham and other breached institutions faced substantial compliance obligations to notify affected individuals, offer credit monitoring services, and document remediation efforts for regulators.

ShinyHunters’ Campaign and Operational Scale

ShinyHunters is a known extortion group that conducts breach campaigns targeting vulnerable software and infrastructure. The PeopleSoft campaign demonstrates operational sophistication: the group identified a critical zero-day flaw, systematically exploited hundreds of instances, exfiltrated large volumes of sensitive data, and executed a public disclosure strategy to pressure organizations and amplify news coverage of the breach. The group’s claim of compromising over 300 instances across more than 100 organizations, if accurate, represents one of the largest coordinated campaigns targeting a single software platform in 2026.

The attacker’s strategy of operating during the zero-day window—before any patch existed—maximized their success rate. They did not have to work around partial mitigation measures or worry about organizations that had already patched. They could systematically work through their target list with confidence that no vendor update would disrupt their operation. Once the advisory was published, organizations began patching, but by then the group had already achieved their objectives and established persistence on compromised systems.

Patching, Response Delays, and Lingering Risk

The practical challenge of patching PeopleSoft across large organizations is substantial enough that some institutions may have remained unpatched for months after the Oracle advisory. PeopleSoft is mission-critical software that affects payroll processing, financial reporting, and student services. Organizations cannot apply patches immediately without risking service disruption. They must test the patch in staging environments, assess compatibility with customizations and integrations, and schedule maintenance windows during periods of low system usage.

For educational institutions operating on academic calendars, the patching window following a June advisory may not occur until summer break. Universities may deprioritize emergency patches if they believe the immediate threat has passed, only to discover months later that attackers retained access to their systems. The combination of technical complexity, institutional risk aversion, and budget constraints means that some of the 100+ breached organizations likely took weeks or months to fully remediate the vulnerability. During that remediation period, their data remained in attackers’ hands and vulnerable to continued exfiltration or sale on dark web marketplaces.

Frequently Asked Questions

What is CVE-2026-35273 and why is it critical?

CVE-2026-35273 is an unauthenticated remote code execution vulnerability in Oracle PeopleTools with a CVSS severity score of 9.8. It allows attackers to execute arbitrary code without valid credentials, making it accessible to anyone who can reach a vulnerable instance over the network.

How many organizations were actually breached?

ShinyHunters claims to have compromised over 300 PeopleSoft instances across more than 100 organizations between May 27 and June 9, 2026. Mandiant confirmed that approximately 68 percent of affected organizations were universities and colleges.

What type of data was exposed in the breaches?

Exposed data included names, addresses, phone numbers, email addresses, passport numbers, ethnicity information, and disability status. The University of Nottingham breach alone affected 455,000 individuals with comprehensive personal records.

Why did attackers target education institutions specifically?

Universities maintain sensitive long-term data on students and alumni, including biometric and passport information. This data has higher value in fraud and identity theft markets, and educational institutions often have resource constraints that delay security patching.

When did Oracle issue a patch and why was the timing problematic?

Oracle issued its out-of-band security advisory on June 10, 2026, after attackers had already compromised hundreds of instances during the preceding two-week period. This delay meant organizations had no warning or patching instructions during active exploitation.

What challenges prevent rapid patching of PeopleSoft vulnerabilities?

PeopleSoft is mission-critical software requiring extensive testing before patches are deployed. Organizations must verify compatibility with customizations and integrations, schedule maintenance windows during low-usage periods, and coordinate approvals across distributed IT teams—processes that can take weeks or months.


You Might Also Like