CVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest

If you did nothing this week: if you run internet-reachable Oracle PeopleSoft, assume data-theft exposure — the initial-access vector that was merely attacker-asserted last week is now vendor-confirmed as a zero-day, with 100+ organisations already breached.

What was a claim-only story on 11 June became vendor-confirmed within 48 hours. Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated flaw in the PeopleSoft Environment Management Hub, and shipped an out-of-band patch (Oracle security alert; daily 06-12). Mandiant and Google GTIG then formally attributed the campaign to UNC6240 (ShinyHunters) and confirmed active exploitation against 100+ organisations, with the education sector disproportionately represented; the University of Nottingham quantified roughly 455,000 affected records (Google GTIG; daily 06-13).

This is a direct hit on a sector dense with European public-sector entities — universities and research institutions running PeopleSoft for HR and campus systems. Apply Oracle's out-of-band fix, then assume data exfiltration on any instance that was internet-reachable before patching: review Environment Management Hub access logs, rotate exposed credentials, and prepare for extortion contact, which is ShinyHunters' standard follow-through.