Researchers have linked ShinyHunters to the active exploitation of a critical Oracle PeopleSoft vulnerability that has reportedly been used to target universities and other organizations running exposed PeopleSoft environments.
The activity comes as Oracle issued security guidance and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address affected systems.
The vulnerability affects Oracle PeopleSoft deployments and may allow attackers to gain unauthorized access to sensitive enterprise systems containing student, employee, financial, and administrative information.
Google links exploitation to ShinyHunters activity
According to research publicly disclosed this week, threat activity associated with ShinyHunters has been observed exploiting vulnerable PeopleSoft environments.
The campaign reportedly targeted internet-accessible Oracle deployments used by educational institutions and other organizations. Researchers said the attacks enabled unauthorized access to enterprise resources and sensitive internal data.
While the full scope of impacted organizations remains unclear, the findings place another major education-sector campaign alongside recent incidents involving ShinyHunters, including the ongoing fallout from the Canvas-related data exposure events.
Oracle and CISA issue warnings
Oracle has acknowledged the vulnerability and released guidance addressing affected deployments. Shortly afterward, CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog, indicating evidence of active exploitation.
Federal civilian agencies have been directed to remediate affected systems within mandated timelines under Binding Operational Directive 22-01.
The rapid addition to the KEV catalog reflects the seriousness of the threat and suggests defenders should treat exposed PeopleSoft environments as potentially at risk.
Universities remain attractive targets
Universities continue to represent high-value targets because they store large volumes of student records, financial information, research data, employee records, and authentication credentials.
The education sector has faced sustained pressure throughout 2026, including incidents involving the University of Nottingham and the broader Canvas ecosystem.
Organizations running Oracle PeopleSoft are advised to review Oracle’s guidance, identify exposed instances, and apply recommended mitigations immediately.
BreachNews will continue monitoring reports of exploitation and any additional victim disclosures tied to the campaign.
