Alert: ShinyHunters Exploits Oracle 0-Day in 100+ Breaches 2026

Executive Summary

ShinyHunters claims to have exploited CVE-2026-35273, a critical Oracle PeopleSoft zero-day, to breach more than 100 organizations across 300 vulnerable instances. The University of Nottingham is the first confirmed victim, with 40 GB of sensitive data stolen. This incident reveals a systemic vulnerability in widely deployed enterprise resource planning (ERP) software and signals an escalation in targeted extortion campaigns.

Context: What Happened

On June 11, 2026, the cybercrime group ShinyHunters announced they had exploited CVE-2026-35273, a 9.8 CVSS-rated remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. The flaw allows unauthenticated attackers to fully compromise affected systems. ShinyHunters targeted the University of Nottingham, exfiltrating 40 GB of personal and billing data, and posted the stolen files after the university refused to pay. Oracle released an out-of-band security alert on June 10, but a patch is not yet available. Mandiant CTO Charles Carmakal confirmed the zero-day is actively exploited in the wild.

Strategic Analysis

Why This Matters for Enterprise Security

Oracle PeopleSoft is a backbone for HR, payroll, billing, and student records at thousands of large organizations. The exploitation of a zero-day with a CVSS score of 9.8 means that any unpatched PeopleSoft instance is at immediate risk. ShinyHunters’ claim of 100+ breaches suggests a coordinated, automated attack campaign, likely scanning for vulnerable instances. The group’s modus operandi—data theft followed by extortion—mirrors ransomware tactics but without encryption, making detection harder.

Winners and Losers

Winners: ShinyHunters gains notoriety and potential ransom payments. Mandiant and other incident response firms will see increased demand. Competitors like SAP and Workday can market their cloud-based ERP as more secure alternatives.

Losers: Oracle faces reputational damage and potential liability. The University of Nottingham and other breached organizations suffer data exposure, regulatory fines, and remediation costs. Any organization running PeopleSoft without immediate mitigation is at risk.

Second-Order Effects

This breach will accelerate migration from on-premise PeopleSoft to cloud ERP solutions. Cybersecurity insurance premiums for organizations using legacy ERP will rise. Regulatory bodies may impose stricter vulnerability disclosure requirements. The incident also highlights the growing trend of zero-day exploitation by cybercriminal groups, not just nation-states.

Market and Industry Impact

Oracle’s stock may face short-term pressure due to security concerns. The broader ERP market will see increased scrutiny of vendor security practices. Security vendors offering PeopleSoft-specific monitoring tools will see a surge in demand. The incident may also prompt Oracle to accelerate its cloud migration incentives.

Executive Action

• Immediately apply Oracle’s out-of-band mitigations for CVE-2026-35273 if running PeopleSoft.
• Conduct a thorough audit of all PeopleSoft instances for signs of compromise, including unusual data exfiltration.
• Evaluate accelerating migration to cloud-based ERP to reduce exposure to on-premise zero-days.

Why This Matters

This is not a isolated incident. ShinyHunters has demonstrated the ability to weaponize a zero-day against a widely used enterprise platform, affecting hundreds of organizations. The window to act is narrow: patches are not yet available, and attackers are actively scanning. Every day of delay increases the risk of a breach.

Final Take

Oracle PeopleSoft has become a prime target for cybercriminals. Organizations still relying on this legacy platform must treat this as a wake-up call. The cost of inaction—data loss, extortion, regulatory penalties—far outweighs the investment in upgrading to modern, cloud-based ERP. The ShinyHunters breach is a strategic inflection point for enterprise security.

Source: The Register