Google's Threat Intelligence Group (GTIG) has independently confirmed that the prolific threat actor ShinyHunters actively exploited CVE-2026-35273 in Oracle's PeopleSoft ERP platform as a zero-day before Oracle issued its mitigation advisory — even as Oracle itself has not publicly acknowledged the in-the-wild exploitation. The confirmation, reported by SecurityWeek, adds an authoritative third-party intelligence perspective to a breach campaign that has disrupted multiple US higher education institutions.
Google's Intelligence Assessment
GTIG's confirmation is notable for several reasons. Oracle mitigated CVE-2026-35273 and released an advisory, but the company's public communications around the vulnerability have been measured — characteristic of Oracle's historically conservative approach to security disclosures, which tends to avoid explicit acknowledgment of exploitation unless compelled by regulators or overwhelming public evidence.
Google's independent confirmation fills that gap. GTIG's visibility into threat actor infrastructure, malware telemetry, and victim notification networks gave the team the evidence needed to independently attribute the exploitation campaign to ShinyHunters and classify it as zero-day activity — meaning ShinyHunters had access to the vulnerability before Oracle's patch was available.
Key findings from GTIG's assessment:
- Zero-day classification confirmed: Exploitation began prior to Oracle's advisory, establishing the vulnerability was unknown to Oracle at the time of the first attacks
- ShinyHunters attribution: GTIG independently attributed the campaign to ShinyHunters based on infrastructure overlap, TTPs (tactics, techniques, and procedures), and data handling consistent with the group's known operations
- Higher education targeting: The exploitation campaign specifically targeted PeopleSoft installations in the US higher education sector, consistent with ShinyHunters' pattern of targeting data-rich environments with legacy ERP deployments
Oracle's Measured Response
Oracle's handling of CVE-2026-35273 reflects the company's longstanding communications approach to vulnerability disclosure. Oracle issues mitigations and patches — as it did for this vulnerability — but typically does not confirm specific exploitation incidents in public communications, preferring to direct affected customers to private support channels.
This approach has long been a source of friction with the security research community, which argues that public acknowledgment of in-the-wild exploitation is critical information that helps defenders prioritize emergency patching. Without vendor confirmation, organizations may treat an actively exploited zero-day as a lower-priority patch-cycle item rather than an emergency remediation.
The disconnect between Oracle's mitigation and its public communications posture meant that many PeopleSoft administrators only understood the urgency of the situation after independent researchers and, now, Google's GTIG published their findings.
The Intelligence Value of Third-Party Confirmation
GTIG's confirmation of the ShinyHunters exploitation campaign illustrates the increasingly important role that large-scale threat intelligence operations play in the vulnerability disclosure ecosystem.
When a vendor mitigates a vulnerability without acknowledging exploitation, three categories of actors remain uninformed:
- System administrators who may not understand the severity difference between a routine patch and an emergency zero-day fix
- Regulators and incident responders who use confirmed exploitation status to trigger mandatory disclosure obligations and incident response protocols
- Peer defenders at similar organizations who need to understand whether their own systems should be treated as potentially compromised
Third-party intelligence organizations — including Google GTIG, Microsoft MSTIC, CrowdStrike Intelligence, and Mandiant — have increasingly stepped into this role, providing confirmed exploitation status for vulnerabilities where vendor communications fall short.
CVE-2026-35273 at a Glance
| Field | Detail |
|---|---|
| CVE | CVE-2026-35273 |
| Affected Product | Oracle PeopleSoft ERP |
| Exploitation Type | Zero-day (pre-authentication) |
| Confirmed Exploiting Group | ShinyHunters (GTIG attribution) |
| Primary Targets | US higher education institutions |
| Oracle Advisory Status | Mitigated — no public exploitation acknowledgment |
| Patch Availability | Emergency patch released post-disclosure |
ShinyHunters' Methodology in This Campaign
GTIG's analysis of the ShinyHunters PeopleSoft campaign identified the group's characteristic operational pattern: rapid, automated exploitation across multiple targets once a viable zero-day is confirmed operational, followed by bulk data exfiltration and extortion contact with victim organizations.
The pre-authentication nature of CVE-2026-35273 was a key factor in the scale of the campaign. Pre-auth vulnerabilities in widely deployed enterprise platforms allow threat actors to enumerate and compromise targets without needing to obtain credentials through prior access, phishing, or credential purchase — significantly reducing the time and resource cost of targeting thousands of installations simultaneously.
ShinyHunters' infrastructure for this campaign showed consistency with prior major campaigns, including the Canvas LMS breach and earlier ADT and 7-Eleven operations — supporting GTIG's attribution confidence.
Recommendations for PeopleSoft Administrators
If your organization runs Oracle PeopleSoft and has not yet applied Oracle's emergency advisory and patch for CVE-2026-35273:
- Apply the patch immediately — treat this as a P1 emergency, not a routine patch cycle item
- Conduct a retroactive log review — examine PeopleSoft application server logs and Oracle DB access logs for the months preceding your patch date for signs of unauthorized access
- Look for persistence mechanisms — check for web shells, modified servlets, or unexpected scheduled jobs that may have been installed during an exploitation window
- Engage your incident response retainer if log review indicates any anomalous access — assume breach until forensic analysis rules it out
- Notify your CISO and legal team of the confirmed in-the-wild exploitation — depending on your jurisdiction, breach notification obligations may be triggered even if you cannot yet confirm specific data access
# Quick check for suspicious PeopleSoft web server activity
# Look for unusual POST volumes to PeopleSoft servlets in the exploitation window
grep -E "POST.*PTNUI|POST.*ICMainframe|POST.*fscm" /var/log/apache2/access.log \
| awk '{print $1, $4, $7}' \
| sort | uniq -c | sort -rn | head -50
# Oracle DB: check for sessions from unexpected hosts
sqlplus / as sysdba << 'EOF'
SELECT MACHINE, USERNAME, COUNT(*) as SESSION_COUNT,
MIN(LOGON_TIME) as FIRST_SEEN,
MAX(LOGON_TIME) as LAST_SEEN
FROM DBA_AUDIT_TRAIL
WHERE TIMESTAMP > SYSDATE - 90
AND USERNAME NOT IN ('SYS','SYSTEM','PSFT','PSFTTMP')
GROUP BY MACHINE, USERNAME
ORDER BY SESSION_COUNT DESC;
EOF