Attackers Exploited Oracle Flaw for Over Two Weeks Before Public Disclosure

ShinyHunters exploited CVE-2026-35273, a critical server-side request forgery vulnerability in Oracle PeopleSoft software, to target about 100 customer organizations and extort at least one victim for payment in exchange for not leaking stolen data.

The group began exploiting the flaw on May 27 and continued for more than two weeks before Oracle publicly flagged the vulnerability. 8 out of 10 and is remotely exploitable, according to Oracle.

The company has issued a stopgap mitigation but has not yet released a full patch. As of Wednesday, ShinyHunters had targeted roughly 300 endpoints belonging to the 100 user organizations. Approximately 68 percent of those organizations operate in the higher education sector.

The University of Nottingham confirmed it was a victim of a hack in which a significant amount of student data was stolen. ShinyHunters published gigabytes of data claimed to have been stolen from the university. Mandiant researchers said the attackers left a staging server containing tools used in the attack publicly available.

A bash script found in the staging environment shows the attackers performed reconnaissance including mapping PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations. 24, which hosts ShinyHunters’ data leak site. Stolen data was first compressed using the zstd tool before exfiltration.

ShinyHunters’ data leak site claimed to have recovered 48 GB of data from a single victim. ShinyHunters has been active since at least 2019. The group previously breached Ticketmaster through Snowflake, Santander, and Salesforce, affecting Google and reportedly other companies.