Oracle published a security advisory on Thursday for a critical vulnerability in its PeopleSoft enterprise software, designated CVE-2026-35273, one day after the ShinyHunters cybercrime group publicly claimed responsibility for a mass-hacking campaign exploiting the same flaw. Mandiant, the cybersecurity unit owned by Google, confirmed that the vulnerability ShinyHunters is exploiting is the bug Oracle just disclosed, and separately notified more than 100 global organizations with potentially vulnerable servers. The timing is not incidental. Oracle’s advisory arrived after the breach was already public, after Mandiant had already spent time doing victim notification, and after stolen data had already appeared on ShinyHunters’ data leak site. A vendor warning that follows the exploitation of its software by a day is not a security response. It is a damage-control timeline.
The technical parameters of the vulnerability are what make the situation particularly serious. The bug in PeopleSoft, which large organizations use to manage payroll and human resources, can be exploited over the internet without requiring any authentication credentials. An attacker needs no username, no password, and no insider access to begin probing a vulnerable server. Oracle had not released a patch as of Thursday and instead recommended customers apply mitigations. Mandiant said that about two-thirds of the more than 100 notified organizations are in higher education, which aligns with what ShinyHunters claimed. The education sector’s concentration here is not random: university systems tend to run older enterprise software versions on longer patch cycles than corporate environments, and PeopleSoft has deep penetration in the sector specifically for HR and student administration functions. The specific victim profile, and why ShinyHunters chose it, is what NewsTrackerToday stays on the sequence to understand.
Sophie Leclerc, who covers the technology sector, traces the attack architecture: “Zero-day in widely deployed enterprise HR software, no authentication required, exploitation already underway at 100-plus organizations before the vendor publishes an advisory. This is a near-perfect execution of a supply chain attack template. ShinyHunters has run this exact play before with other enterprise platforms. The group finds a flaw in common software, exploits it at scale before a patch exists, collects data, and threatens release unless victims pay. The university sector is attractive because the data is sensitive, the systems are underfunded relative to the volume of personal records they hold, and the reputational pressure to pay rather than see student records published is real.”
ShinyHunters described the stolen data from one institution as encompassing hundreds of thousands of student records containing full name, home address, phone number, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses. That data profile is comprehensive enough to enable identity theft at scale, social engineering attacks, and targeted phishing against an entire student population. Oracle’s mitigation guidance, rather than a full patch, means vulnerable organizations are managing risk in a window of active exploitation with no vendor fix available. The duration of that window – how long between Oracle’s discovery and patch release – is what NewsTrackerToday watches the clock on, because every day it extends is a day ShinyHunters can continue targeting the organizations that have not yet applied the mitigations.
Daniel Wu places the pattern in institutional context: “ShinyHunters has become the most methodical supply chain attacker operating publicly right now. They targeted companies using a Salesforce integration last year, then Gainsight, then Instructure. Each campaign hits a platform with broad enterprise deployment, extracts data from dozens or hundreds of customers, and then monetizes through extortion. The group’s willingness to publish data when organizations refuse to pay makes the threat credible. Instructure paid. That payment validates the model for every subsequent campaign.” The Instructure precedent is the element that shapes every future ShinyHunters victim’s calculus: a documented case where the extortion worked gives the group empirical leverage it did not have before, and that dynamic is what News Tracker Today follows the target logic through.
Oracle has not responded to press requests for comment. That silence, alongside an advisory that recommends mitigations rather than a patch, is what NewsTrackerToday names as the part of the disclosure that the formal language obscures: when a company advises customers to apply mitigations for a zero-day in software that manages their payroll and HR data, while simultaneously offering no timeline for a patch and declining to comment on the scope of the breach, the customers who rely on that software are operating in an undisclosed risk environment. The uncomfortable conclusion here is that Oracle’s disclosure posture, arriving after exploitation was public and without a remediation path, describes the floor of vendor security disclosure rather than anything approaching the standard its enterprise customers deserve.
