ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities

ShinyHunters, tracked by Google Mandiant as UNC6240, exploited an unpatched Oracle PeopleSoft zero-day vulnerability to breach multiple university systems and steal sensitive data. The threat actor then demanded ransom to prevent public disclosure of the stolen information.

The exploitation window ran from May 27 to June 9. Oracle did not release its security advisory until June 10, meaning the vulnerability remained unpatched during the entire attack window. CVE-2026-35273 affects Oracle PeopleSoft, enterprise resource planning software deployed across higher education institutions worldwide.

Universities bore the brunt of this campaign. The timing gap between active exploitation and patch availability created a critical window where defenders had no remediation path. Organizations running PeopleSoft systems could not protect themselves against a threat they had no visibility into until after the attacks concluded.

ShinyHunters operates an extortion model focused on data theft followed by ransom demands. The group steals information, then contacts victims with threats to publish or sell the data unless payment arrives. Universities hold particularly valuable targets for such attacks because they store research data, financial records, student information, and intellectual property. The reputational cost of a breach often pressures institutions toward payment.

This campaign reflects a persistent pattern. Threat actors identify zero-day vulnerabilities in enterprise software, exploit them before vendors release patches, exfiltrate data, and demand payment. The gap between discovery and patch availability determines the window for attacks. Oracle's delay in publishing the advisory left administrators blind to both the vulnerability and its exploitation in the wild.

Organizations using Oracle PeopleSoft should prioritize patching immediately. Administrators should review logs from the May 27 through June 10 period for anomalous authentication patterns, data access, or lateral movement. Check for evidence of data exfiltration, particularly large file transfers to