A ransomware group known as ShinyHunters exploited a critical zero-day flaw in Oracle’s PeopleSoft software to target about 100 organizations. The attackers stole gigabytes of data from victims, including the University of Nottingham, and issued extortion demands. Oracle has released a mitigation but not a full patch.
ShinyHunters began exploiting the server-side request forgery vulnerability, tracked as CVE-2026-35273, on May 27. The flaw carries a severity rating of 9.8 out of 10 and remained unpatched for more than two weeks. Mandiant researchers reported that the group targeted roughly 300 endpoints across 100 organizations, with 68 percent in higher education.
The University of Nottingham confirmed on June 10 that a significant amount of student data had been stolen. ShinyHunters published the data on its leak site and demanded payment from at least one victim. Oracle issued an emergency security advisory and stopgap mitigation measures.
The attackers left behind scripts and a staging server that revealed reconnaissance activity and data compression using the zstd tool. One victim lost 48 gigabytes of information. Mandiant and Rapid7 have shared indicators of compromise to help affected organizations respond.
