ShinyHunters breached 100+ companies through an unpatched Oracle PeopleSoft zero-day

TL;DR

ShinyHunters exploited an unpatched Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to breach 100+ organisations. Two-thirds are universities. No patch yet.

Oracle warned customers on Thursday of a critical vulnerability in its PeopleSoft software that hackers have already exploited to breach more than 100 organisations. The flaw, CVE-2026-35273, carries a CVSS score of 9.8 and can be exploited over the internet without any authentication. Oracle has not released a patch.

The advisory came a day after the cybercrime group ShinyHunters claimed responsibility for the mass-hacking campaign. Google’s Mandiant confirmed that the bug Oracle disclosed is the same one ShinyHunters is exploiting. Mandiant said it notified more than 100 global organisations, most of them in the United States.

About two-thirds of the victims are universities and colleges. A ShinyHunters member told TechCrunch the group stole “hundreds of thousands of student records containing full name, home address, phone, email, date of...

Copyright of this story solely belongs to thenextweb.com. To see the full text click HERE