16 June 2026 Vulnerability

Oracle PeopleSoft Zero-Day CVE-2026-35273: ShinyHunters Breaches 100+ Universities — What Australian Institutions Must Do Now

Between 27 May and 9 June 2026, a criminal group known as ShinyHunters quietly compromised roughly 300 Oracle PeopleSoft servers at more than 100 organisations worldwide, stealing student and staff records before most victims knew an attack was underway. The flaw they used — CVE-2026-35273, a critical remote-code-execution bug requiring no login and no user interaction — was unknown to Oracle until after the campaign concluded. Australian universities and colleges that run PeopleSoft Campus Solutions are directly in the exposure window: confirmed Australian PeopleSoft deployments include Open Universities Australia, which manages more than 50,000 student enrolments on the platform, and Federation University Australia.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

How ShinyHunters Compromised 300 PeopleSoft Servers Before Oracle Issued a Patch

The campaign opened on 27 May 2026, when the threat group known as ShinyHunters — tracked by Mandiant under the designation UNC6240 — began systematically scanning the internet for Oracle PeopleSoft servers running an exposed Environment Management Hub (PSEMHUB) component. The PSEMHUB is an administrative interface within PeopleSoft PeopleTools that organisations use for patch distribution and configuration management across multi-site environments. The problem: it contained a critical remote-code-execution flaw that Oracle was not yet aware of.

Over the following 13 days, ShinyHunters silently compromised approximately 300 PeopleSoft instances across more than 100 organisations. The stolen data was published on the group's dark-web data leak site on 9 June 2026 — the first time the majority of affected institutions learned an attack had taken place. The following day, 10 June, Oracle published an out-of-band security alert for CVE-2026-35273 and released an emergency patch for PeopleTools versions 8.61 and 8.62. The patch arrived after the breach was complete.

Mandiant, now operating under Google Cloud following its acquisition, formally attributed the campaign to UNC6240 in a threat intelligence report published on 11 June. The group identified over 100 organisations whose IP addresses matched the known attack infrastructure and proactively issued notifications — but for many, that contact came only after their data had already appeared publicly on ShinyHunters' leak site.

The University of Nottingham was among the first confirmed victims to make a public statement. According to the university's own disclosure, attackers accessed its student record system and exfiltrated records covering 454,600 current and former students, including personal details and academic history. Mandiant confirmed the campaign prioritised higher education, with 68 per cent of the more than 100 identified victim organisations being universities or colleges.

Independent technical research published by Rapid7's Emerging Threats Research team on 11 June provided a detailed breakdown of the exploit chain. Help Net Security and SecurityWeek independently confirmed the victim count and timeline from Mandiant's reporting, establishing a clear corroborated picture of the attack scope before Oracle's patch had reached most affected environments.

Why Universities Are a Preferred Target for Data Extortion Groups

Oracle PeopleSoft Campus Solutions is the administrative backbone of student management at hundreds of universities worldwide. The platform handles enrolment records, academic transcripts, tuition billing, financial aid disbursements, and sometimes payroll and HR data for staff. A breach doesn't expose just a name and an email address — it can surface a student's full academic history, unique identification numbers, scholarship status, and financial records. That data retains value long after graduation and is well suited to identity fraud, credential stuffing against alumni portals, and targeted phishing.

ShinyHunters' operational model differs from traditional ransomware. The group does not encrypt production systems and demand a decryption fee. Instead it exfiltrates data silently, then publishes a sample on its dark-web leak site and waits for victims to initiate contact with a payment offer to prevent full public release. This approach is particularly damaging for universities because:

The reputational and legal consequences of a student data disclosure are immediate. Unlike a corporate breach, it directly affects individuals who trusted the institution with sensitive personal records, sometimes including details submitted as minors.
University IT teams are typically smaller and more resource-constrained relative to the user population they support than comparable commercial organisations, making rapid patch deployment operationally difficult.
PeopleSoft deployments are often maintained on Oracle's standard quarterly Critical Patch Update (CPU) schedule. A zero-day like CVE-2026-35273 — patched only via out-of-band alert — sits outside that cadence and may go unaddressed for weeks in environments that do not monitor Oracle's security advisories continuously.

Australian higher education institutions are directly exposed. Oracle actively markets PeopleSoft Campus Solutions to the Australian and New Zealand market through its dedicated higher education practice. Open Universities Australia has publicly confirmed that PeopleSoft Campus Solutions is its student management system, supporting more than 50,000 students. Federation University Australia runs a heavily customised PeopleSoft Campus Solutions environment with significant integrations across its sites. Neither organisation has been named as a confirmed victim of the CVE-2026-35273 campaign, but both operate software in the same affected product family.

The Australian Signals Directorate's Alerts and Advisories page (cyber.gov.au) has consistently listed higher education as one of the most-targeted sectors in Australia. Organisations in the sector should treat this campaign as a direct prompt to audit their PeopleSoft exposure — not a story about overseas universities.

Inside CVE-2026-35273: The SSRF-to-RCE Chain That Required No Credentials

What the vulnerability is

CVE-2026-35273 is a server-side request forgery (SSRF) vulnerability in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 that chains into remote code execution via the Environment Management Hub (PSEMHUB) component. The National Vulnerability Database rates it 9.8 out of 10 on the CVSSv3.1 scale — reflecting that it is remotely exploitable, requires no authentication, requires no user interaction, and is exploitable over standard HTTP network access. A CVSS score of 9.8 places it in the critical severity band, two-tenths below the maximum possible score of 10.0.

SSRF vulnerabilities cause a server to make HTTP requests on behalf of an attacker to internal network resources that would not otherwise be reachable from outside. In PeopleSoft's case, the PSEMHUB component acts as a broker for internal application management tasks — patching, environment synchronisation, configuration updates. Rapid7's research confirmed that by sending a single unauthenticated HTTP request to an exposed PSEMHUB endpoint, an attacker could chain the SSRF into arbitrary code execution under the PeopleSoft service account. No credentials, no phishing, no social engineering required: just network access to the exposed port.

How PSEMHUB ends up internet-facing

PSEMHUB is intended to be an internal administrative interface. In well-hardened deployments it should not be accessible from the public internet. However, a significant number of organisations had inadvertently exposed it, either through misconfigured firewall rules or because older PeopleSoft documentation recommended that PSEMHUB be accessible across organisational network boundaries to support multi-campus environments — a common configuration in Australian universities with multiple campuses or with students accessing systems off-site.

What data becomes reachable

Once an attacker achieves code execution under the PeopleSoft service account, they have effective access to the application's database without passing through any of PeopleSoft's application-layer access controls. Student records, staff personnel files, financial aid data, payroll figures, and any system that the PeopleSoft instance is integrated with — including single-sign-on providers, learning management systems, and alumni portals — are within reach. The Rescana and SecurityWeek reporting on this campaign confirmed that ShinyHunters extracted student records, personal identification details, and academic histories from compromised environments.

Affected versions and patch status

Oracle's out-of-band patch for CVE-2026-35273 covers PeopleTools 8.61 and 8.62. Organisations running older, unsupported PeopleTools versions should contact Oracle support directly for guidance. Organisations using a third-party PeopleSoft support vendor — such as those on Rimini Street agreements — should verify whether their support contract includes coverage for out-of-band zero-day patches, since this capability is not uniformly provided by third-party support arrangements.

Immediate Steps for Australian PeopleSoft Administrators

If your organisation runs Oracle PeopleSoft, the following actions are not deferred maintenance. The out-of-band patch for CVE-2026-35273 has been available since 10 June 2026, but patching alone is insufficient if your environment was exposed during the 27 May — 9 June window. Assume possible compromise first; then remediate.

1. Apply the Oracle out-of-band patch immediately

Download and apply the patch for PeopleTools 8.61 or 8.62 from Oracle's support portal (support.oracle.com, My Oracle Support). Oracle has categorised this as a mandatory out-of-band update rather than a discretionary fix — deferring it to the next quarterly CPU cycle is not appropriate given confirmed in-the-wild exploitation.

2. Audit PSEMHUB network exposure

Verify whether your PeopleSoft Environment Management Hub is accessible from outside your internal network. If PSEMHUB is reachable on TCP port 8000 or 8443 from external IP addresses, restrict access via firewall rules to internal network segments and known administrator IP ranges only. PSEMHUB has no legitimate requirement for public internet exposure in any standard deployment scenario.

3. Review logs from 27 May to 10 June

Examine HTTP access logs on your PSEMHUB component for the period 27 May through 10 June 2026. Look for unusual POST requests to /PSEMHUB/ endpoints, requests from IP addresses not in your internal or administrator ranges, and anomalous volumes of outbound data transfer from the PeopleSoft server. Rapid7's published Emerging Threat Research for this campaign includes specific indicators of compromise and request patterns consistent with ShinyHunters' observed tooling.

4. Treat suspicious log findings as a confirmed breach

If your log review surfaces indicators of the above activity, treat it as a confirmed eligible data breach under ACSC's incident classification guidance. Australian organisations are required to notify the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme within 30 days of having reasonable grounds to believe an eligible data breach has occurred — the clock begins from when you first had reason to suspect a breach, not from when you formally confirm it. The ACSC's 24/7 hotline is available at 1300 CYBER1 (1300 292 371) and provides incident triage support for Australian organisations.

5. Notify affected individuals promptly

If evidence of data exfiltration exists, the NDB scheme requires notification to affected students and staff. Given ShinyHunters' established pattern of publishing full stolen datasets on its leak site after a payment deadline passes, waiting for forensic certainty before notifying individuals leaves them without the time to protect themselves against secondary phishing or identity fraud targeting their academic and personal records. Early notification is both the legal obligation and the ethically defensible position.

The Data Theft Extortion Model and Reducing the Blast Radius

ShinyHunters represents a maturing generation of financially motivated cybercriminal groups that have moved away from encryption-based ransomware and toward pure data theft and extortion. This shift is deliberate. Encryption-based ransomware has grown increasingly detectable as endpoint and network defences have matured, and high-profile takedowns of ransomware infrastructure have disrupted several groups. Data theft requires no privileged persistence after initial access, no complex binary deployment, and no negotiation over decryption keys. The attacker exits with the data, waits for the deadline, and publishes if payment is not received.

The implications for institutions relying on enterprise software like Oracle PeopleSoft extend well beyond this specific patch cycle. Many university PeopleSoft deployments integrate with a wide range of third-party systems — learning management platforms, clinical placement systems for health science and nursing programmes, library catalogues, alumni donation portals — all of which may be reachable once the PeopleSoft service account is compromised. The student record system is frequently only the first door.

ShinyHunters is already well known to Australian security teams. The group was linked to the 2024 Ticketmaster breach that affected significant numbers of Australian customers, and earlier in 2026 the same group breached Canvas LMS, exposing records tied to hundreds of thousands of Australian students. BleepingComputer's reporting on the PeopleSoft campaign confirms the group is escalating both in target selection and technical sophistication. Each successive campaign demonstrates that ShinyHunters has the operational patience to conduct large-scale data theft against targets that have not maintained patch discipline.

Essential Eight controls most relevant to this attack

The ACSC's Essential Eight mitigation framework provides the clearest practical roadmap for Australian organisations. In the context of CVE-2026-35273, the most relevant controls are:

Application patching at Maturity Level 2: Apply vendor-supplied patches within 48 hours when exploitation is confirmed in the wild. Oracle's 10 June out-of-band release meets the threshold for urgent response — it is explicitly not a scheduled CPU patch, it is an emergency fix for an actively exploited zero-day.
Restricting administrative access: The PeopleSoft service account leveraged in this campaign should operate under least-privilege principles. A service account with the ability to execute arbitrary queries across the full student database, and with network access to multiple integrated systems, represents a significant risk concentration. Privilege separation and just-in-time administrative access reduce the blast radius if a service account is compromised.
Network segmentation: PSEMHUB is an administrative component with no business case for internet exposure. Network segmentation that prevents application-tier services from initiating unrestricted outbound connections to external hosts would also have impeded ShinyHunters' data exfiltration in many of the observed cases, even after initial access was achieved.
Multi-factor authentication: While CVE-2026-35273 is an unauthenticated exploit — MFA would not have blocked the initial access — MFA on the PeopleSoft administrative and staff-facing interfaces reduces the risk of follow-on credential-based access attempts that often accompany a breach of this type.

A prompt to patch Oracle PeopleSoft is also a prompt to re-examine the network architecture surrounding it. The ShinyHunters campaign is unlikely to be the last time a threat group targets PSEMHUB or a comparable administrative endpoint in an enterprise student system. The defence is structural, not reactive.