ShinyHunters — the prolific hacking group responsible for a string of high-profile breaches across healthcare, retail, and technology — has turned its attention to American universities, exploiting a critical zero-day vulnerability in Oracle's PeopleSoft ERP software (CVE-2026-35273) to steal enormous quantities of student, faculty, and institutional data. The campaign, reported by Dark Reading on June 12, 2026, has disproportionately hammered U.S. higher education institutions that rely on Oracle's widely deployed campus management platform.
The Vulnerability: CVE-2026-35273
Oracle's PeopleSoft is among the most widely deployed enterprise resource planning (ERP) systems in U.S. higher education, managing student records, financial aid, human resources, payroll, and academic administration for hundreds of universities. The zero-day at the center of this campaign — CVE-2026-35273 — allowed ShinyHunters to compromise these systems without authentication.
Oracle issued an emergency mitigation advisory after the exploitation became public, but by that point, multiple institutions had already been breached. A full patch was subsequently released, though the window between zero-day exploitation and patch availability gave the attackers significant time to operate undetected.
| Detail | Info |
|---|---|
| CVE | CVE-2026-35273 |
| Affected Software | Oracle PeopleSoft ERP |
| Attack Type | Zero-day exploitation (pre-authentication) |
| Targeted Sector | Higher education (US universities) |
| Threat Actor | ShinyHunters |
| Data Stolen | Student records, faculty PII, research data, financial aid records |
Why Higher Education?
The concentration of breaches in higher education is not coincidental. Universities represent an unusually attractive target profile for data-focused threat actors:
Scale of PII: Large universities manage records for tens of thousands of current and former students, faculty, staff, and alumni — decades of accumulated personal information including Social Security numbers, financial records, health data from campus health centers, and academic histories.
Oracle PeopleSoft Penetration: PeopleSoft has a dominant market position in higher education ERP. A single zero-day can simultaneously threaten hundreds of institutions running similar configurations.
Limited Security Budgets: Despite managing vast amounts of sensitive data, many universities operate with security teams and budgets that lag behind private sector enterprises of comparable data volume.
Research Data Value: Universities often hold sensitive research data — government-funded studies, medical research, and intellectual property — that may be of interest to both financially motivated criminals and nation-state actors.
Ransomware Leverage: Student record data, financial aid information, and academic records create strong extortion leverage ahead of enrollment periods and grading deadlines.
ShinyHunters' Playbook
ShinyHunters has consistently demonstrated a methodology focused on scale over sophistication: identify widely deployed enterprise software with exploitable vulnerabilities, automate exploitation across as many targets as possible, exfiltrate data, and monetize through extortion or dark web sales.
The group's known campaigns in 2026 have included:
- Canvas LMS (Instructure) breach — 365TB of data, extortion settlement
- ADT customer data breach
- 7-Eleven customer data exposure
- Medtronic patient records theft
- Telus Digital breach
The Oracle PeopleSoft campaign fits this pattern: a single widely-deployed platform, a critical vulnerability, and a target-rich sector with limited security maturity.
Affected Institutions
Multiple American universities confirmed incidents or were identified as victims in the days following disclosure. The concentration in the United States reflects Oracle PeopleSoft's particularly strong market penetration in U.S. higher education. Specific institutional names have been withheld by some reporting outlets pending notification to affected students and faculty.
Common categories of data exposed across confirmed breaches include:
- Student personally identifiable information — names, addresses, dates of birth, Social Security numbers
- Financial aid records — FAFSA data, award amounts, loan information
- Academic transcripts and enrollment history
- Faculty and staff HR records
- Research grant and administration data
- Campus health center records (where integrated with PeopleSoft)
Oracle's Response
Oracle issued an emergency mitigation advisory upon confirmation of active exploitation and subsequently released a formal patch for CVE-2026-35273. The company has been coordinating with affected customers and CISA on remediation timelines.
This breach follows Oracle's previously disclosed PeopleSoft zero-day activity in June 2026 — Oracle mitigated an earlier PeopleSoft zero-day that ShinyHunters had also exploited, suggesting the group has developed sustained targeting capabilities against Oracle's ERP platform.
Implications for Higher Education Security
The ShinyHunters PeopleSoft campaign carries several implications for the higher education sector:
ERP Platform Risk Concentration: When a single vendor holds dominant market share across an entire sector, zero-day vulnerabilities in that vendor's products create sector-wide systemic risk. Higher education's reliance on a small number of ERP vendors — Oracle PeopleSoft, Ellucian Banner, Workday — creates concentrated attack surfaces.
Patch Urgency: The gap between zero-day exploitation and patch availability highlighted how critical rapid patching is. Universities that applied Oracle's emergency mitigation advisory promptly had better outcomes than those that delayed.
Data Minimization: Years of accumulated student and alumni records exist in PeopleSoft databases that may no longer be operationally necessary. Data minimization — retaining only what is needed for legal and operational purposes — reduces breach impact.
Immediate Recommendations
For institutions running Oracle PeopleSoft:
- Apply CVE-2026-35273 patch immediately — Oracle has released a fix; treat this as a P1 emergency patch
- Audit PeopleSoft access logs for the months prior to patch date — look for unusual query volumes, off-hours activity, or access from unexpected IP ranges
- Verify no web shells or backdoors were installed during the exploitation window
- Notify affected individuals per applicable state breach notification laws and FERPA obligations once the scope of data access is confirmed
- Engage incident response if you have not already — professional IR firms can conduct forensic analysis to determine whether your instance was accessed
# Check Oracle PeopleSoft application server access logs
grep -i "CVE-2026-35273\|PTNUI\|ICMainframe" /opt/oracle/psft/pt/*/logs/*.log
# Look for unusual database query patterns
sqlplus / as sysdba <<EOF
SELECT USERNAME, PROGRAM, MACHINE, LOGON_TIME
FROM V\$SESSION
WHERE USERNAME NOT IN ('SYS','SYSTEM','PSFT')
ORDER BY LOGON_TIME DESC;
EOF