ShinyHunters breached 100+ companies through an unpatched Oracle PeopleSoft zero-day

TL;DRShinyHunters exploited an unpatched Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to breach 100+ organisations. Two-thirds are universities. No patch yet.

Oracle warned customers on Thursday of a critical vulnerability in its PeopleSoft software that hackers have already exploited to breach more than 100 organisations. The flaw, CVE-2026-35273, carries a CVSS score of 9.8 and can be exploited over the internet without any authentication. Oracle has not released a patch.

The advisory came a day after the cybercrime group ShinyHunters claimed responsibility for the mass-hacking campaign. Google’s Mandiant confirmed that the bug Oracle disclosed is the same one ShinyHunters is exploiting. Mandiant said it notified more than 100 global organisations, most of them in the United States.

About two-thirds of the victims are universities and colleges. A ShinyHunters member told TechCrunch the group stole “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID.” The University of Nottingham was named among the breached institutions.

The 💜 of EU techThe latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters Data Leak Website,” Mandiant wrote. Oracle did not respond to TechCrunch’s request for comment.