PeopleSoft flaw exploited in data-theft campaign, researchers say
Mandiant says ShinyHunters used a critical Oracle PeopleSoft vulnerability to target about 100 organizations, most of them in higher education.
By Hana Yoshida · Markets Reporter
3 min read
A ransomware and extortion group has exploited a critical Oracle PeopleSoft vulnerability to target about 100 customer organizations, according to Google’s Mandiant security team. The campaign matters because Oracle has issued only a temporary mitigation for the flaw, and Mandiant says stolen data has already appeared on ShinyHunters’ leak site.
The vulnerability, tracked as CVE-2026-35273, has a severity score of 9.8 out of 10. Oracle described the bug as remotely exploitable and published a security alert after attackers had already been using it, according to Mandiant.
Mandiant said the flaw is a server-side request forgery, or SSRF, which can let attackers cause a vulnerable server to send requests into systems used by the targeted organization. The company said ShinyHunters had been exploiting the vulnerability since May 27, more than two weeks before Oracle flagged it.
Higher education heavily targeted
As of Wednesday, Mandiant said the attackers had targeted roughly 300 endpoints across about 100 organizations. About 68% of those organizations were in higher education, according to the security firm.
The University of Nottingham said Wednesday that a data security incident had compromised a “significant” amount of student data. Its statement followed ShinyHunters’ claim that the university was among its recent victims and the group’s publication of gigabytes of data it said came from the attack.
Mandiant said some organizations blocked the activity or fixed the exposure, while others were compromised and had data posted to ShinyHunters’ data leak site. Google has confirmed that victims are receiving extortion demands.
How the attackers operated
Mandiant said analysis of a bash script left in a staging environment showed the attackers performing reconnaissance inside compromised organizations. The activity included mapping PeopleSoft configurations and viewing process scheduler and WebLogic server XML configuration files.
The attackers later created an outbound SSH connection to 176.120.22.24, an IP address that Mandiant identified as hosting ShinyHunters’ data leak site. Mandiant said the stolen information was compressed with the zstd tool before transfer, and the leak site claimed 48GB of data had been taken from one victim.
A researcher also said Tuesday that the group had exposed several directories showing continuing targeting of PeopleSoft systems. According to the researcher, the attackers left accessible a staging server containing tools used in the campaign.
Known extortion group
ShinyHunters has been active since at least 2019, according to Mandiant and prior reporting cited by Ars Technica. The group has been linked to attacks affecting large companies and their customers, including incidents involving Ticketmaster through Snowflake, Santander and Salesforce.
Mandiant said the group uses multiple methods to gain access, including exploiting software vulnerabilities and cloud misconfigurations, stealing OAuth tokens, supply chain attacks, voice phishing and other social engineering tactics.
Mandiant and Rapid7 have published indicators of compromise and response guidance for PeopleSoft customers. With a full Oracle patch still pending, affected organizations are being urged by those firms to apply the available mitigation and check for signs of compromise.
This story draws on original reporting from Ars Technica.