The cyber extortion group ShinyHunters is a past master at taking advantage of vulnerabilities in widely used platforms, and according to recent reporting from Mandiant, it is at it again – this time exploiting CVE-2026-35273, a vulnerability in Oracle’s PeopleSoft Enterprise PeopleTools.
Oracle disclosed details of the critical-severity flaw – it has a CVSS rating of a near-perfect 9.8 – on 10 June, warning that it was remotely exploitable, did not require authentication, and could lead to remote code execution.
To illustrate the severity of the issue, Oracle “recommended mitigations to be a high-priority risk reduction measure” and released an out-of-band patch at the time of disclosure.
PeopleTools versions 8.61 and 8.62 are impacted, and Mandiant has provided a solid description of the scope of the ShinyHunters activity it has been observing.
“The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component,” Mandiant said in a 12 June blog post.
“The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle’s June 10, 2026 advisory, the vulnerability was exploited as a zero-day.”
Mandiant was able to discover more than 100 vulnerable endpoints, most of which were based in the US, with 69 per cent belonging to entities in higher education. According to Mandiant, several of these were able to block the malicious activity once they were warned, while others were compromised, and the results are clear to see on ShinyHunters’ darknet leak site.
Houston City College, Illinois Central College, and the Moody Bible Institute, among others, have all been listed on the group’s darknet site in recent days.
“Hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses,” ShinyHunders said in its Houston City College extortion post.
“Daily and full student roster exports library credentials, PINs, and @student[.hccs[.edu accounts. Over 12,000 financial aid and bursar reports including FAFSA/ISIR suspense data with names, birthdates, emails, phones, and home addresses.”
The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2026-35273 to its Known Exploited Vulnerabilities Catalog.
According to cyber security firm Rapid7, even if the patch has already been applied – and it should be on an “emergency basis”, the company said – organisations should still look for Indicators of Compromise.
You can read Mandiant’s full analysis here, and Rapid7’s advice here.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.