ShinyHunters exploited Oracle PeopleSoft 0-day to hit 100+ orgs, including Nottingham

ShinyHunters is claiming it used a PeopleSoft zero-day, CVE-2026-35273, to compromise more than 100 organizations, with the University of Nottingham among the first publicly confirmed victims. The group told The Register it exploited the flaw to break into Nottingham’s PeopleSoft system and steal 40 GB of personal data and billing records covering hundreds of thousands of current and former students.

The timeline reads like a playbook. ShinyHunters posted the UK university on its data leak site on Tuesday, then published the stolen files later that same day, apparently after Nottingham refused to pay an extortion demand. “University of Nottingham on our leak site is one of the first publicly confirmed incidents,” a ShinyHunters spokesperson told The Register. The group also said it had only just started outreach to affected organizations and was looking to reach an agreement, but did not say when it planned to post the other claimed victims.

This is not just another breach headline. Google threat intelligence published Thursday afternoon corroborated ShinyHunters’ claims, saying it spotted malicious activity “consistent with the exploitation of CVE-2026-35273” between May 27 and June 9, and notified more than 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Google also said most of those organizations are in the United States and that 68 percent are in the higher-education sector. For leadership teams, that geography and sector concentration is a staffing and process issue: procurement, IT asset management, and incident response planning are often most mature in some enterprise environments and less so in education, even though both run similar enterprise systems.

At the technical layer, CVE-2026-35273 is rated 9.8 by CVSS and allows remote, unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools, then fully take over the platform. That “remote, unauthenticated” combination is where the risk stops being theoretical. If attackers can reach an exposed endpoint without valid credentials, then organizations that rely on internal security controls alone are at a structural disadvantage. In practice, PeopleSoft Enterprise PeopleTools sits at the center of payroll and billing, human resources, supply chain processes, and student records, which means compromise can quickly spread from “one system” to “core business workflows.”

The University of Nottingham confirmed the breach on Wednesday, a day after ShinyHunters leaked the school’s data, and Oracle issued an out-of-band security alert. The Register reports it is unclear whether Oracle has issued a patch to fix the security flaw. Oracle was also contacted for comment by The Register and did not respond. Meanwhile, Google-owned Mandiant CTO Charles Carmakal warned on LinkedIn on Thursday that PeopleSoft is one of two zero-day vulnerabilities “actively being exploited in the wild,” and wrote that Oracle released mitigations and patches should come “soon.” The other actively exploited zero-day, for the record, is a Cisco Catalyst SD-WAN Manager vulnerability.

For executives and boards, the second-order implications are the ugly part. First, extortion pressure is moving on a compressed clock: ShinyHunters posted and published within the same day in Nottingham’s case, and claims more than 100 victims. That rhythm can strain legal, communications, and incident response teams, especially when they are still waiting on vendor patches or determining scope. Second, PeopleSoft is widely deployed across institutions and enterprises, so governance teams cannot treat this as a narrow IT fix. When your student records, payroll, and billing are in the same enterprise suite, breach impacts typically cascade into privacy exposure, potential fraud risk, regulatory scrutiny, and operational disruption.

Third, the “300 vulnerable instances” detail matters because it suggests a pattern, not an isolated event. ShinyHunters says it exploited the flaw across 300 vulnerable instances, which implies many endpoints were reachable and perhaps mismanaged. That is a board-level conversation about asset inventory, segmentation, exposure management, and how fast your organization can validate that mitigations and patches actually apply across the environment, not just in one test case.

So what should leaders take from this? The headline is the symptom: a 9.8 CVSS Oracle PeopleSoft 0-day is being exploited in the wild, with theft plus extortion claims across more than 100 organizations. The deeper stake is whether your organization can detect and contain a remote, unauthenticated takeover path fast enough to prevent data theft, and whether your vendor and internal patch cycle closes the window before attackers decide the next victim is on the leak site. If you run PeopleSoft, the strategic question is no longer “will this happen?” but “how quickly can we prove we are not next?”