ShinyHunters compromised over 100 companies via an unpatched zero-day vulnerability in Oracle PeopleSoft.

      TL;DR: ShinyHunters has taken advantage of an unpatched Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to infiltrate over 100 organizations, with two-thirds being universities. There is currently no patch available.

      Oracle alerted its customers on Thursday regarding a critical vulnerability in its PeopleSoft software that has already been exploited to breach more than 100 organizations. The vulnerability, designated as CVE-2026-35273, has a CVSS score of 9.8 and can be exploited remotely without authentication. Oracle has yet to provide a patch.

      This warning came just a day after the cybercrime group ShinyHunters claimed responsibility for the widespread hacking effort. Google’s Mandiant confirmed that the vulnerability disclosed by Oracle is indeed the one being exploited by ShinyHunters. Mandiant reported that they informed over 100 global organizations, primarily in the United States.

      Approximately two-thirds of the affected parties are universities and colleges. A member of ShinyHunters informed TechCrunch that the group has stolen "hundreds of thousands of student records, including full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID." The University of Nottingham was among the institutions that suffered a breach.

      Mandiant noted that while some organizations were able to block the attacks or remediate the vulnerabilities, others fell victim to the assault, leading to the publication of stolen data on the ShinyHunters Data Leak Website. Oracle did not respond to a request for comments from TechCrunch.

      PeopleSoft is utilized by large corporations and educational institutions for managing payroll, human resources, and student records. The vulnerability affects PeopleTools versions 8.61 and 8.62. ShinyHunters exploited a combination of old vulnerabilities as well as this zero-day to target both cloud and on-premises instances, compromising about 300 servers across the 100+ organizations.

      This attack follows a recognizable pattern. Over the past year, ShinyHunters has targeted organizations that use the same vulnerable enterprise software. Previous campaigns have targeted companies utilizing Salesforce, Gainsight, and the education platform Instructure. The group identifies the vulnerability, enumerates the companies running the software, steals data, and then demands a ransom.

      Earlier this year, Instructure paid the hackers after being breached twice. Additionally, ShinyHunters defaced the login pages of schools using Instructure’s Canvas portal. This PeopleSoft campaign is the largest to date and is still ongoing. While Oracle has suggested some mitigations, it has not specified when a patch will be released.

      For any organization running PeopleSoft, the immediate response should be to implement Oracle’s mitigations and limit internet-facing access to PeopleSoft servers. The broader lesson is one that the enterprise software industry continues to learn: when a critical zero-day affects software used by hundreds of major organizations, the attacker only needs to discover it once. AI is making the discovery of vulnerabilities less expensive, while defenders managing those flaws are not keeping pace. Groups like ShinyHunters are capitalizing on every gap between vulnerability disclosure and the availability of fixes.

Другие статьи

Google developed an AI capable of predicting football plays before they occur. Google developed an AI capable of predicting football plays before they occur. Google DeepMind has introduced TacticAI, an AI system created in collaboration with Liverpool FC, capable of anticipating football player movements up to eight seconds ahead and offering tactical suggestions for set pieces. Saily has just converted the eSIM into a $1 disposable phone number. Saily has just converted the eSIM into a $1 disposable phone number. Saily's new US phone number add-on offers travelers an affordable secondary line for making calls, sending texts, receiving 2FA codes, and maintaining privacy for their primary number. Meta introduces an AI assistant and a desktop version for its CapCut competitor, Edits. Meta introduces an AI assistant and a desktop version for its CapCut competitor, Edits. Meta's Edits app will introduce an AI assistant that leverages Instagram data to propose video ideas, along with a desktop version. Over fifty percent of Reels viewers engage with Edits content on a daily basis. ShinyHunters compromised over 100 companies by exploiting a zero-day vulnerability in Oracle PeopleSoft that had not been patched. ShinyHunters took advantage of CVE-2026-35273 (CVSS 9.8) to compromise over 100 organizations utilizing Oracle PeopleSoft. Among them, two-thirds are educational institutions. A patch is not available at this time. OpenAI collaborates with Visa to facilitate secure transactions via AI agents. OpenAI collaborates with Visa to facilitate secure transactions via AI agents. Thanks to a new partnership between OpenAI and Visa, ChatGPT may soon be able to shop and make payments on your behalf, introducing secure agentic payments to AI interactions. Bluesky introduces group chats and shifts focus to communities as growth levels off at 44.8 million users. Bluesky introduces group chats and shifts focus to communities as growth levels off at 44.8 million users. Bluesky has introduced group chats for as many as 50 individuals and is developing communities similar to those found on Reddit. This shift occurs amid a slowdown in user growth and as X discontinues its own community features.

ShinyHunters compromised over 100 companies via an unpatched zero-day vulnerability in Oracle PeopleSoft.

ShinyHunters took advantage of CVE-2026-35273 (CVSS 9.8) to compromise over 100 organizations utilizing Oracle PeopleSoft, with two-thirds of them being universities. There is currently no available patch.