Google's threat intelligence teams say a critical, unauthenticated remote code execution flaw in Oracle's PeopleSoft platform — tracked as CVE-2026-35273 and rated CVSS 9.8 — was weaponized as a zero-day by the cybercrime crew ShinyHunters to steal data, with universities taking the heaviest hit. Oracle pushed out-of-band mitigations this week but has not publicly admitted the bug was being abused, leaving Mandiant and the Google Threat Intelligence Group (GTIG) to confirm the in-the-wild activity. The campaign ran from late May through early June 2026, and ShinyHunters began publishing stolen records on its leak site on June 9. CISA has since added the flaw to its Known Exploited Vulnerabilities catalog.
What is CVE-2026-35273
CVE-2026-35273 is an unauthenticated remote code execution vulnerability reachable over HTTP. According to the Alan Turing Institute's Cyber Threat Observatory report, the weakness lives in a component of PeopleSoft's Updates Environment Management and carries a CVSS score of 9.8 (vector includes AV:N, network-accessible). Because the attack vector is network-based and no authentication is required, a successful exploit hands an attacker full compromise of the affected PeopleTools deployment.
The flaw affects:
- PeopleSoft Enterprise PeopleTools 8.61 and 8.62
- PeopleSoft Enterprise Applications
PeopleSoft is a broadly deployed ERP suite that enterprises lean on for HR, payroll, finance, supply chain, and campus operations. While the vulnerable component is normally deployed inside enterprise networks rather than on the open internet, Oracle's own advisory flagged it as public-facing in default deployments — and the prerequisites for exploitation are present by default where the component is reachable over HTTP without authentication.
Oracle's response so far has been mitigations rather than complete patches, and the company has neither publicly confirmed exploitation nor responded to press inquiries. The bug is documented in the NVD entry for CVE-2026-35273.
How the attack works
Mandiant and GTIG observed exploitation between May 27 and June 9, 2026, and attributed the intrusions to ShinyHunters, which Google tracks internally as UNC6240.
Per Google's analysis, the operators:
- Exploited CVE-2026-35273 to gain unauthenticated code execution on exposed PeopleSoft instances.
- Stood up staging infrastructure running customized MeshCentral agents that were dressed up to look like legitimate cloud services.
- Used those agents to run administrative commands on compromised hosts.
- Deployed a bespoke lateral-movement and defacement script named
[victim_abbreviation]_fanout.sh, where the prefix was tailored per victim.
The timeline maps cleanly onto the extortion phase: ShinyHunters started dumping stolen data on its leak site on June 9, 2026, the same day the observed exploitation window closes.
Scope of the campaign
Google notified more than 100 organizations worldwide that they may have been exposed. The bulk are in the United States, and 68% are in higher education. Some targets reportedly repelled the attacks; others were breached and had data exfiltrated. The first confirmed victim named publicly is the University of Nottingham in the UK.
ShinyHunters tells a bigger story, claiming it compromised roughly 300 PeopleSoft instances across 100 organizations. Google has released remediation guidance, hardening recommendations, and indicators of compromise for defenders.
TrendAI, the enterprise arm of Trend Micro that Oracle credited with reporting CVE-2026-35273, says it currently sees only limited exploitation and that its investigation is ongoing.
On June 12, 2026, CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) catalog on the basis of confirmed active exploitation, which obligates U.S. federal agencies to remediate on an accelerated timeline.
Detection and mitigation
Concrete defensive steps drawn from the reporting:
- Apply Oracle's out-of-band mitigations for CVE-2026-35273 immediately on PeopleTools 8.61 and 8.62 and affected PeopleSoft Enterprise Applications. Treat this as urgent given KEV listing and confirmed exploitation.
- Restrict network exposure of the PeopleSoft Updates Environment Management component. Because the flaw is exploitable over HTTP without authentication, anything reachable from untrusted networks is at immediate risk — place it behind VPN/segmentation and remove any unnecessary internet exposure.
- Hunt for the campaign's tooling. Look for unexpected MeshCentral agents, especially instances masquerading as cloud services, and for scripts matching the
*_fanout.shnaming pattern. - Review Google's published IOCs and remediation/hardening guidance and incorporate them into detection rules and threat hunts.
Technical background
The following is general background on this class of flaw, not specifics confirmed about this incident.
Unauthenticated RCE bugs in enterprise web applications such as ERP suites are among the most dangerous vulnerability classes because they combine three traits: the service is network-reachable, no credentials are needed, and a single request can yield code execution. Common root causes in this category include insecure deserialization of attacker-controlled objects, server-side template injection, expression-language injection, and unsafe file upload or path handling in administrative or environment-management endpoints.
A typical exploitation lifecycle looks like this:
- Discovery — the attacker fingerprints exposed instances, often by hitting a known application path and matching response banners or headers.
- Exploit delivery — a crafted HTTP request triggers the vulnerable code path. For example, a probe-style request to confirm reachability of a target endpoint:
curl -sk -i "https://target.example.com/<vulnerable-endpoint>" \
-H "Content-Type: application/json" \
--data '<crafted-payload>'
- Foothold — the attacker drops a remote-management agent or web shell to persist beyond the initial request.
- Lateral movement and impact — scripted tooling fans out to additional hosts, harvests data, and — in extortion campaigns — exfiltrates it for publication on a leak site.
Defenders facing this pattern should prioritize patch/mitigation deployment, minimize the internet-facing footprint of management components, enable verbose application logging on the affected endpoints, and alert on the appearance of unsanctioned remote-administration software inside the environment.