Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters

Google Ties PeopleSoft Zero-Day to ShinyHunters Data Theft

Google says a critical flaw in Oracle's PeopleSoft software has been exploited as a zero-day by the cybercrime group ShinyHunters to steal data from organizations, with the education sector bearing the brunt of the campaign. The bug, tracked as CVE-2026-35273, is an unauthenticated remote code execution vulnerability that Oracle addressed this week through an out-of-band advisory and security alert. Notably, while Oracle has issued mitigations for the flaw, it has not publicly acknowledged that the weakness was being abused in the wild — leaving Google's threat researchers as the ones confirming active exploitation.

The vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 as well as PeopleSoft Enterprise Applications. Oracle's response so far appears to consist of mitigations rather than full patches. PeopleSoft is a widely deployed ERP suite that large enterprises rely on to run HR, payroll, finance, supply chain, and campus operations, but the attackers behind this campaign seem to have zeroed in on higher education. The University of Nottingham in the UK has been named as the first confirmed victim.

Researchers at Mandiant and the Google Threat Intelligence Group (GTIG) said they tracked exploitation activity between May 27 and June 9, and attributed the intrusions to ShinyHunters, a group Google internally labels UNC6240. According to Google, the operators set up staging environments running customized MeshCentral agents disguised as legitimate cloud services, then used them to issue administrative commands and push a bespoke lateral-movement and defacement script named [victim_abbreviation]_fanout.sh. The activity lines up directly with stolen data that ShinyHunters began posting to its leak site on June 9, 2026.

Scope and Disclosure Gap

Google notified more than 100 organizations worldwide that they may have been exposed, most of them in the United States and 68% of them in higher education. Some targets reportedly fended off the attacks, while others were breached and had data exfiltrated. ShinyHunters, for its part, claims to have hit roughly 300 PeopleSoft instances across 100 organizations. Google has also published remediation guidance, hardening advice, and indicators of compromise for defenders.

Oracle has not publicly confirmed that the flaw was exploited and did not respond to requests for comment on the matter. TrendAI, the enterprise arm of Trend Micro that Oracle credited with reporting CVE-2026-35273, said it is currently observing only limited exploitation and that its investigation remains ongoing.