Particle.news
Download on the App Store
18 ARTICLES
·
17h ago

ShinyHunters Exploit Oracle PeopleSoft Zero-Day to Breach Universities

An unauthenticated remote‑code‑execution flaw lets attackers steal student and HR records, forcing institutions to use Oracle mitigations while a full patch is still pending.

Oracle Corp. signage on the floor of the New York Stock Exchange (NYSE) in New York, US, on Friday, April 10, 2026. (Image: Michael Nagle/Bloomberg via Getty Images)
US multinational computer technology company Oracle's logo is pictured at the Mobile World Congress (MWC), the telecom industry's biggest annual gathering, in Barcelona on February 27, 2024. (Photo by PAU BARRENA / AFP / GettyImages)
A 3D printed model of men working on computers are seen in front of displayed binary code and words "Hacker" in this illustration taken, July 5, 2021. REUTERS/Dado Ruvic/Illustration
Oracle PeopleSoft

Overview

  • Security teams at Mandiant and Google Threat Intelligence Group linked active compromises to the ShinyHunters extortion group and notified more than 100 organizations about potentially vulnerable PeopleSoft endpoints.
  • Researchers dated the campaign between May 27 and June 9 and say attackers exploited CVE-2026-35273 as a zero-day to gain remote code execution against PeopleTools versions 8.61 and 8.62.
  • Investigators recovered attacker staging infrastructure that included customized MeshCentral agents, a credential‑spray and propagation script that planted a ransom marker file, and IOCs such as several exposed IPs and the azurenetfiles.net domain.
  • Oracle issued an out‑of‑band security advisory and emergency mitigations for CVE-2026-35273 but full patches were not widely available at the time of reporting and organizations are urged to immediately block or disable PSEMHUB and related endpoints.
  • At least one major victim, the University of Nottingham, confirmed a breach and researchers indexed roughly 455,000 exposed email addresses, raising risks of identity fraud, regulatory fallout, and further extortion for affected students and staff.