ShinyHunters says it has hit more than 100 organizations through a single unauthenticated HTTP flaw, and the University of Nottingham is the first named victim.
CVE-2026-35273, an unauthenticated remote code execution flaw in Oracle PeopleSoft's PeopleTools HTTP layer, is being actively weaponized at scale. The Register reports that extortion group ShinyHunters has claimed responsibility for exploiting the vulnerability against more than 100 organizations running roughly 300 vulnerable PeopleSoft instances.
The threat profile is severe: the flaw is unauthenticated, reachable over the network via standard HTTP, and grants full takeover of the underlying PeopleTools platform. Rated 9.8 on the CVSS scale, the bug sits in the highest tier of critical RCE, and Oracle's silence on a patch is the part of the picture most worth watching.
The University of Nottingham is the first named victim. ShinyHunters posted the university to its leak site on Tuesday, 2026-06-09, claiming it exfiltrated 40GB of student and billing records covering hundreds of thousands of current and former students, then published the cache the same day after the university refused an extortion demand. The University of Nottingham confirmed the breach on Wednesday, 2026-06-10, and Oracle issued an out-of-band security alert the same day. However, the scale of the exfiltrated data and the full scope of what records were taken have not been independently verified beyond ShinyHunters' claims.
What makes this different from a routine RCE disclosure is the asymmetry between exploitation and remediation. Oracle has issued an out-of-band alert and released mitigations, but as of the Register's reporting on 2026-06-11, no patch has been published and Oracle has not responded to requests for comment. Google-owned Mandiant Chief Technology Officer Charles Carmakal warned on LinkedIn that PeopleSoft was one of two zero-day vulnerabilities "actively being exploited in the wild," adding that "patches should come soon" — an acknowledgment that patches are not yet available as of this writing. Defenders are left watching a critical-rated zero-day burn through PeopleSoft deployments while the vendor's response window stays open.
PeopleSoft's footprint compounds the risk. The platform underpins payroll, HR, and student-information systems across higher education, state government, and large healthcare networks. A network-reachable RCE in that stack does not just hit one department; it gives an attacker a foothold into the systems that pay employees, enroll students, and process benefits.
ShinyHunters, in its statement to The Register, framed the campaign as the start of a broader outreach effort, saying the group is "actively looking to reach an agreement" with affected organizations. That is standard extortion framing, but it also signals that the actor expects more names to drop. The group is described in the same reporting as a data-theft-and-extortion crew, though the PeopleSoft campaign has not yet been tied on the record to the broader Scattered Spider cluster some researchers track alongside it.
For defenders, the next 72 hours matter more than the next 30 days. The single concrete move that buys the most time is to pull every internet-facing PeopleSoft instance off direct HTTP exposure: route PeopleTools 8.61 and 8.62 through a VPN or zero-trust gateway, block the rest at the perimeter, and hunt for the indicators of compromise the leak-site posting and any second-source write-ups from Mandiant, CrowdStrike, Rapid7, or CISA produce. Until Oracle confirms a patch, restricting network reach is the only control that converts a CVSS 9.8 from a fait accompli into a manageable exposure.
The next test of this campaign will be independent confirmation. CISA's Known Exploited Vulnerabilities catalog, as of 2026-06-11, does not yet list CVE-2026-35273; NVD's record for the CVE is confirmed, and a second named victim or a regulator filing will convert ShinyHunters' claims from extortion theater into a defensible threat picture. Until then, the defensive clock is already running, and the only confirmed casualty is a university that trusted its HR stack to be too embedded to fail.