Somewhere in the University of Nottingham's administrative infrastructure, 455,000 email addresses — alongside passport numbers, ethnicity records, disability status, and financial data spanning campuses in the UK, Malaysia, and China — were quietly exfiltrated in a 40 GB package. No authentication required. No user interaction. Just HTTP network access and a vulnerability that Oracle would not name publicly for another two weeks. As of June 26, 2026, the ShinyHunters campaign against Oracle PeopleSoft represents the most efficient institutional data heist of the year: a single critical zero-day, over 300 compromised server instances, and 100-plus organizations breached before a single patch was available.
According to Google News, which surfaced the initial scope of this campaign, the breach exploited CVE-2026-35273 — a CVSS 9.8 critical flaw in Oracle's PeopleSoft platform (the enterprise administrative software widely used by universities and corporations for student records, HR, and financial management) — during a 14-day exploitation window running from May 27 to June 9, 2026. Oracle published its security alert on June 10, 2026 — one day after the active attack window had already closed.
The Threat: A Gadget Chain in the Campus Record Room
Security researchers described the exploit as a "gadget chain" — a sequence stitching together both known legacy weaknesses and previously undisclosed zero-day flaws in Oracle PeopleSoft's PeopleTools versions 8.61 and 8.62. The underlying vulnerability class is CWE-918: a Server-Side Request Forgery flaw (SSRF — where an attacker tricks the server into issuing requests on their behalf) that escalates to Remote Code Execution (RCE), meaning attackers can run arbitrary commands without any login credentials or user interaction whatsoever. TechCrunch was first to report the specific claim of 100-plus organizations compromised, while Google Mandiant's threat intelligence team — tracking the campaign as UNC6240 — provided technical corroboration by notifying victims whose IP addresses appeared in the attack telemetry from the exploitation window.
Once inside, ShinyHunters deployed MeshCentral agents — legitimate remote management software repurposed as a persistent backdoor — to maintain long-term access across compromised systems. This operational pattern aligns with Google Mandiant's January 2026 characterization of ShinyHunters as "multiple threat clusters" operating under a single brand, having evolved from opportunistic dark-web data dumps into sophisticated zero-day exploitation campaigns. The group's operational tempo in 2026 has been relentless: the FBI issued Public Service Announcement I-051526-PSA on May 15, 2026, warning specifically of ShinyHunters' extortion tactics after their Canvas LMS breach exfiltrated 3.65 terabytes of data from 275 million users across 8,809 educational institutions. The PeopleSoft campaign launched 12 days later. (Threat actors, it turns out, do read FBI alerts.)
As of June 26, 2026, according to Google Mandiant, ShinyHunters has claimed responsibility for 40-plus organizational breaches in 2026 affecting over 400 million individuals — a figure that would make this the worst year for data theft in recorded history.
Blast Radius — Higher Education Under Fire
The targeting pattern is not random. As of June 26, 2026, 68% of confirmed PeopleSoft breach victims operate in the higher education sector, primarily in the United States. Universities run PeopleSoft for everything: student financial aid, HR payroll, alumni records, international student databases. The University of Nottingham case illustrates the exposure depth: 40 GB of uncompressed data (19 GB compressed), including billing records, credit card details, and campus portal exports. Multi-jurisdictional records spanning three countries — each with distinct data protection regulations — create a compliance exposure that will outlast the breach by years.
Chart: Distribution of confirmed Oracle PeopleSoft breach victims by sector, as of June 26, 2026. Source: Google Mandiant / UNC6240 threat intelligence reporting.
There is a secondary dimension that makes the education-sector concentration difficult to dismiss as coincidence. University student databases — containing demographic, behavioral, academic performance, and financial data — are dual-value targets. Immediate monetization runs through identity theft and extortion. The longer horizon involves training data: as AI systems increasingly depend on high-quality, demographically rich institutional datasets, student records become infrastructure in the data economy powering modern AI development, not merely privacy assets to be disclosed on a breach notification form. In my analysis, the 68% concentration in higher education reflects deliberate targeting logic, not opportunistic spray-and-pray — a sector-specific threat posture that university IT and security teams have not yet fully operationalized against.
The campaign also shows evidence of active sector expansion. A Council of Europe breach in June 2026 — where ShinyHunters leaked 10,000 employee records — signals movement beyond academic and commercial targets into intergovernmental organizations. Salesforce Experience Cloud attacks targeting financial services customers, which prompted a FINRA cybersecurity alert and FBI warnings about OAuth token theft and cloud misconfigurations, show the same threat actor probing vectors across multiple enterprise platforms simultaneously. The blast radius of ShinyHunters in 2026 is no longer containable to a single software ecosystem.
The Defense Stack That Changes the Math
Oracle stated in its June 10, 2026 security advisory: "Oracle considers implementation of the recommended mitigations to be a high-priority risk reduction measure and recommends customers apply all Critical Patch Updates, Critical Security Patch Updates and Security Alerts without delay." That is the vendor floor, not the security ceiling. The compensating controls that actually compress blast radius here operate across three layers.
Technology: Restrict inbound HTTP and HTTPS access to PeopleSoft application tier endpoints at the network perimeter. CVE-2026-35273 requires only HTTP network access — no credentials, no user interaction. A firewall rule allowlisting only known administrative IP ranges eliminates the authentication-bypass attack surface entirely. Patch PeopleTools beyond versions 8.61 and 8.62. Scan process inventories for MeshCentral agent binaries: legitimate remote access software appearing in unexpected system contexts is a reliable indicator of compromise (IOC) specific to this ShinyHunters campaign.
Process: Universities running PeopleSoft across multi-campus, multi-country configurations face a patching coordination problem that a single IT team cannot resolve fast enough through normal change management cycles. Establish a PeopleSoft-specific vulnerability response runbook with a defined emergency patch service level agreement for CVSS 9.0-plus vulnerabilities. The May 27 to June 9, 2026 exploitation window — versus the June 10, 2026 public advisory — represents the 14-day gap your incident response process needs to close. Subscribe to Oracle's security alert distribution list. It is free and it is the fastest official notification path available outside a commercial threat intelligence subscription.
People: Security awareness training for IT staff managing PeopleSoft should treat vendor advisory monitoring as a standing operational workflow, not an ad hoc response to headlines. The FBI's PSA I-051526-PSA, issued May 15, 2026, named ShinyHunters' extortion playbook explicitly and provided a 12-day window before the PeopleSoft campaign launched. Organizations with active threat intelligence subscriptions and a genuine security awareness culture had that lead time. Most did not act on it.
Harden This Today
One control. Not thirty. If your organization runs Oracle PeopleSoft on PeopleTools 8.61 or 8.62, ship this control today: block all inbound HTTP and HTTPS traffic to your PeopleSoft application tier from any IP range outside your explicitly allowlisted administrative networks. This is a network-layer control that takes minutes to implement and eliminates the attack surface CVE-2026-35273 exploits — no patch required to reduce your exposure right now, before your change management window opens.
If you are already in incident response mode — if your systems ran PeopleTools 8.61 or 8.62 during the May 27 through June 9, 2026 attack window — your first forensic step is auditing process inventories for MeshCentral agent installations running outside your approved software list. Google Mandiant notified organizations whose IP addresses appeared in UNC6240 attack telemetry; if you did not receive that notification and ran the vulnerable PeopleTools versions during the exploitation window, treat the absence of notification as absence of evidence, not evidence of safety. Investigate anyway. The University of Nottingham's 40 GB exfiltration was quiet by design.
Frequently Asked Questions
What is CVE-2026-35273 and how does it affect Oracle PeopleSoft?
CVE-2026-35273 is a CVSS 9.8 critical vulnerability — the highest severity rating — in Oracle PeopleSoft's PeopleTools versions 8.61 and 8.62. It exploits a Server-Side Request Forgery (SSRF) flaw that escalates to Remote Code Execution (RCE), allowing an attacker with only HTTP network access to run arbitrary commands on the server without any login credentials or user interaction. Oracle issued its advisory on June 10, 2026, but ShinyHunters exploited it as a zero-day (a security flaw with no available patch yet) from May 27 through June 9, 2026 — a 14-day window that affected 100-plus organizations across more than 300 PeopleSoft server instances.
How can I tell if my organization was affected by the ShinyHunters PeopleSoft breach?
Google Mandiant (tracking this campaign as UNC6240) proactively notified organizations whose IP addresses appeared in attack telemetry from the May 27–June 9, 2026 exploitation window. If you ran PeopleTools 8.61 or 8.62 during that period, audit system logs for unusual outbound connections and unexpected internal HTTP requests indicative of SSRF exploitation. Critically, scan your process lists for MeshCentral agent software running outside your approved inventory — this is the persistence tool ShinyHunters deployed post-compromise to maintain remote access. Contact your Oracle support representative and review Oracle's June 10, 2026 security advisory for specific remediation guidance.
What should universities do to protect against Oracle PeopleSoft vulnerabilities?
Universities face compounded data protection risk in PeopleSoft incidents because their databases contain multi-jurisdictional records spanning student demographics, finances, and academic data — making both immediate regulatory exposure and long-term liability severe across multiple legal frameworks. Immediate steps: patch PeopleTools beyond versions 8.61 and 8.62, restrict HTTP and HTTPS network access to PeopleSoft endpoints via firewall allowlisting, subscribe to Oracle's free security alert distribution list for real-time advisory notification, and deploy endpoint detection capable of flagging unexpected remote management software such as MeshCentral. Longer term, establish a vulnerability response runbook with CVSS 9.0-plus emergency patch service level agreements, and integrate active threat intelligence subscriptions that cover enterprise software exploitation campaigns targeting the education sector specifically.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs. Research based on publicly available sources current as of June 26, 2026.