The ShinyHunters extortion gang exploited a critical zero-day vulnerability in Oracle's PeopleSoft software between May 27 and June 9, 2026, compromising more than 300 instances across 100+ organizations. The flaw, CVE-2026-35273 (CVSS 9.8), allowed unauthenticated remote code execution through PeopleSoft's Environment Management Hub service.
About 68% of targeted organizations were higher education institutions. The University of Nottingham confirmed a breach, with ShinyHunters claiming 40 GB of student records stolen. Oracle patched the vulnerability on June 10 after researchers flagged it. Organizations are urged to disable or block external access to the EMHub service immediately.
Source: Dark Reading