The data-theft crew ShinyHunters exploited a critical unauthenticated flaw in Oracle's PeopleSoft HR and finance platform over roughly two weeks in June 2026, claiming to have compromised more than 300 instances across 100-plus organizations. The vulnerability, tracked as CVE-2026-35273, carries a CVSS score of 9.8 and enables remote code execution from a single HTTP request. A group member confirmed the 100-plus victim figure to BleepingComputer and TechCrunch, though those self-reported numbers remain independently unverified, and so far only one victim has publicly acknowledged the incident.
What Happened
According to Arctic Wolf's analysis, ShinyHunters began scanning the public internet for vulnerable PeopleSoft deployments as early as May 27, 2026, and exploited them at scale. Oracle issued an out-of-band security alert for CVE-2026-35273 on June 10, 2026. By June 9, the group claimed more than 300 compromised instances spanning over 100 organizations, with higher-education institutions disproportionately represented. Mandiant identified more than 100 exposed endpoints tied to the campaign. On compromised servers, responders found a ransom note dropped directly onto production systems, consistent with a crew that has abandoned encryption malware in favor of pure data theft and extortion.
What Was Taken
The targeted systems hold human-resources and financial data: employee records, payroll and benefits information, tax identifiers, and organizational financial details. ShinyHunters has paired the campaign with "pay or leak" extortion threats against high-profile names reportedly including Eastman Kodak, Amazon's One Medical, and the Council of Europe. Exact stolen volumes per victim have not been confirmed, and the scope of exposed personal data is still being assessed across affected organizations.
Why It Matters
Internet-exposed ERP software has become an industrialized target for organized cybercrime. Rather than hand-crafting an exploit for one high-value victim, ShinyHunters deployed automated scripts to scan and compromise PeopleSoft environments en masse, as documented by ERP-security vendor Pathlock. The campaign echoes the Cl0p attacks on Oracle E-Business Suite just eight months earlier, signaling a durable shift: enterprise resource planning platforms are now first-tier targets, and a single unauthenticated flaw can cascade into hundreds of breaches within days.
The Attack Technique
CVE-2026-35273 is an unauthenticated remote-code-execution flaw reachable over HTTP, requiring no credentials or user interaction. Attackers sent crafted requests to internet-facing PeopleSoft endpoints, gained code execution, and exfiltrated HR and finance data before dropping a ransom note. The combination of mass scanning, automated exploitation, and a maximum-severity flaw allowed the crew to operate at scale rather than targeting victims individually.
What Organizations Should Do
- Apply Oracle's CVE-2026-35273 patch from the June 10, 2026 out-of-band alert immediately on all PeopleSoft instances.
- Remove PeopleSoft and other ERP admin interfaces from direct internet exposure; place them behind VPN or zero-trust access.
- Hunt for compromise indicators dating back to at least May 27, 2026, including ransom notes on production servers and anomalous HTTP requests to PeopleSoft endpoints.
- Review web and application logs for large or unusual data exfiltration from HR and finance systems.
- Rotate credentials and secrets accessible from compromised hosts, and inventory all internet-facing ERP assets.
- Prepare breach-notification and extortion-response plans, assuming exfiltration may have occurred even where encryption did not.
Sources: ShinyHunters Oracle PeopleSoft Breach: 100+ Orgs [2026]