Leveraging CVE-2026-35273 involving unauthenticated remote code execution, attackers expose student data before disclosure; universities heavily impacted during late May campaign.

Cybercriminal group ShinyHunters has struck again: this time exploiting a previously unknown vulnerability in Oracle’s PeopleSoft platform to breach more than 100 organizations, the majority of them universities.

The campaign unfolded over a roughly two-week period from late May to early June, targeting internet-exposed systems running the platform. At the center of the attacks is CVE-2026-35273, a critical flaw with a severity rating of 9.8.

The issue affects the Environment Management Hub component within PeopleTools versions 8.61 and 8.62. Stolen data reportedly includes sensitive student information such as addresses, phone numbers, and dates of birth, according to reporting from TechCrunch.

Security researchers say the vulnerability allows unauthenticated remote code execution over HTTP, meaning attackers can take full control of vulnerable servers without needing valid credentials. The attacks occurred before Oracle had publicly disclosed the vulnerability. The firm had issued an out-of-band advisory on 10 June 2026, confirming that organizations had been exposed without available patches during the active exploitation window. This timing underscores the growing risk posed by zero-day vulnerabilities in widely deployed enterprise systems.

 The more than 100 organizations vulnerable to potential compromise (with approximately 68% being institutes of higher education) have been informed and placed on alert.

Also, the US Cybersecurity and Infrastructure Security Agency (CISA) has added the critical flaw to its Known Exploited Vulnerabilities catalog on 12 June 2026, mandating remediation across federal networks. Affected corporate customers have been advised to disable the affected service or restrict access to specific endpoints. However, web application firewalls alone are unlikely to stop exploitation attempts. Investigators recommend searching for signs of compromise such as unauthorized JSP files, unusual outbound SMB traffic, and modified XML configurations.

The campaign follows closely on the heels of another ShinyHunters operation targeting Instructure’s Canvas platform, which disrupted academic operations nationwide. Security firm Pathlock reported that attackers had left behind ransom notes (named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) on compromised systems, and are continuing to pressure victims by threatening to release stolen data.