The ShinyHunters extortion group has been exploiting a critical zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) to breach universities and higher education institutions, according to analysis by Google's Mandiant. The campaign leverages unauthenticated remote code execution to steal sensitive student, financial, and HR data before demanding payment to suppress publication.
Attribution: UNC6240
Mandiant attributes the PeopleSoft exploitation campaign to UNC6240, the designation it uses to track ShinyHunters. Mandiant has dated activity to a window predating Oracle's public disclosure, indicating the group had access to the vulnerability — or independently discovered it — before defenders had any warning.
UNC6240/ShinyHunters is a financially motivated threat actor with a long history of high-impact data theft operations targeting organizations where bulk personal data can be monetized through extortion or sold to other criminals. Past targets have included major retailers, telecom providers, and financial institutions. The pivot to targeting higher education via PeopleSoft represents a deliberate expansion into a sector with concentrated personal data and often under-resourced security teams.
Why Universities?
Oracle PeopleSoft Campus Solutions is one of the dominant student information system (SIS) platforms at North American and European universities. A single PeopleSoft instance at a large university may contain:
- Student records for tens of thousands of current and former students
- Social Security numbers, dates of birth, and home addresses
- Financial aid and payment history
- Academic transcripts and enrollment records
- Faculty and staff HR data
This makes universities exceptionally attractive targets for data extortion — the potential for embarrassment, regulatory penalties, and harm to students creates strong pressure to pay.
The Double Extortion Model
UNC6240's campaign follows the classic double extortion playbook:
- Exploit CVE-2026-35273 to gain unauthenticated remote code execution on the PeopleSoft server
- Move laterally through connected systems to maximize data access
- Exfiltrate bulk datasets — student records, HR files, financial data
- Contact the victim with proof of the data theft and a payment demand
- Publish or auction data on dark web forums if the ransom is not paid
ShinyHunters maintains a dark web presence where stolen datasets are advertised and sold, giving victims a visible deadline and adding credibility to the extortion threat.
CVE-2026-35273: Technical Context
CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Suite. Unauthenticated RCE flaws are among the most severe class of vulnerabilities — they require no credentials and allow an attacker on the network (or internet, if the service is exposed) to execute arbitrary commands on the target system.
PeopleSoft web portals are frequently internet-exposed to support remote student and staff access, dramatically expanding the attack surface. Organizations that have not yet applied Oracle's interim mitigation and restricted exposure are at immediate risk.
Recommended Actions for Higher Education
Institutions running Oracle PeopleSoft should take the following steps immediately:
- Apply Oracle's emergency mitigation for CVE-2026-35273 without waiting for the next scheduled patch cycle
- Restrict internet exposure of PeopleSoft portals where possible — VPN or IP allowlisting for admin interfaces
- Review application logs for indicators of unauthorized access, particularly failed authentication attempts and unusual data export activity
- Engage your IR team if any suspicious activity is found — ShinyHunters moves quickly from initial access to exfiltration
- Notify legal and compliance teams so they are prepared in the event data was accessed
Broader Implications
The targeting of higher education through an enterprise ERP zero-day highlights a persistent challenge: large universities often maintain complex, legacy-adjacent software stacks where patching velocity is lower than in commercial enterprises. ShinyHunters and similar groups actively scan for these gaps.
The higher education sector should treat this campaign as a wake-up call to reassess the exposure and patching status of all internet-facing enterprise applications, not just PeopleSoft.