THE article discusses a critical zero-day vulnerability in Oracle PeopleSoft, identified as CVE-2026-35273, which was exploited in an ongoing ShinyHunters campaign targeting over 100 organizations, predominantly universities, from May 27 to June 9, 2026. This remote code execution flaw, rated 9.8 on the CVSS scale, allows attackers to breach systems without authentication or user interaction.
The breach was revealed by Mandiant and Google’s Threat Intelligence Group shortly after Oracle issued a public advisory on June 10. The attackers managed to establish a command-and-control infrastructure disguised as legitimate services, facilitating extensive lateral movement within victim networks. The University of Nottingham was notably impacted, with over 450,000 email addresses leaked. Organizations using Oracle PeopleSoft are urged to isolate affected systems and block access to sensitive endpoints to mitigate risks.