A 9.8-CVSS PeopleTools flaw, CVE-2026-35273, gives unauthenticated attackers full remote takeover over HTTP. ShinyHunters says it hit 300 exposed instances and already dumped 40 GB from the University of Nottingham. Here is what the bug actually is, why internet-facing PeopleSoft is a homelab-grade mistake at enterprise scale, and what to check on your own perimeter tonight.
The extortion crew ShinyHunters told The Register it exploited a critical Oracle PeopleSoft flaw as a zero-day to break into more than 100 organizations across roughly 300 vulnerable instances. The first confirmed casualty is the University of Nottingham, which had 40 GB of student personal data and billing records lifted and then published on the group's leak site after it apparently declined to pay.
The bug at the center of this is CVE-2026-35273, a 9.8 CVSS-rated vulnerability in Oracle PeopleSoft Enterprise PeopleTools. Oracle pushed an out-of-band security alert on Wednesday, a day after the Nottingham data went public. Mandiant CTO Charles Carmakal confirmed on LinkedIn that PeopleSoft is one of two zero-days under active exploitation right now, the other being a Cisco Catalyst SD-WAN Manager flaw.
What the vulnerability actually does
A 9.8 score is about as bad as the CVSS scale gets without hitting a clean 10, and the vector string is the part that should make anyone running PeopleSoft nervous. The flaw allows a remote, unauthenticated attacker with network access over HTTP to compromise PeopleTools and take over the platform completely. Break that down the way you would read a benchmark result:
| CVSS metric | Value | What it means in practice |
|---|---|---|
| Attack Vector | Network | Reachable across the internet, no LAN foothold needed |
| Attack Complexity | Low | No race conditions, no special timing, repeatable |
| Privileges Required | None | Attacker needs no account on the system |
| User Interaction | None | No phishing, no clicking, fully autonomous |
| Scope | Changed | Compromise spills beyond the vulnerable component |
| Confidentiality / Integrity / Availability | High | Full read, full write, full takedown |
When every one of those rows reads in the attacker's favor, the result is a vulnerability that a single scripted request can weaponize at scale. That is exactly what 300 hit instances looks like. You do not manually pop 300 PeopleSoft deployments by hand. You write one exploit, point it at a list of internet-exposed hosts, and let it run.
PeopleTools is the runtime and development framework underneath the PeopleSoft application suite. It handles the web rendering, the integration broker, the application server tier, and the database connectivity. Compromising PeopleTools rather than a single application module is why the CVSS scope flips to Changed: you are not stealing one HR record, you are owning the platform that fronts payroll, HR, supply chain, and student records. Nottingham's 40 GB haul of personal data and billing records is consistent with full platform access, not a narrow leak.
Why this keeps happening to PeopleSoft
PeopleSoft predates the modern habit of treating every internet-facing service as hostile by default. A lot of deployments still expose the PeopleSoft Internet Architecture (PIA) web tier directly so that students, employees, and contractors can reach self-service portals from anywhere. That convenience is the entire attack surface. The Integration Broker and the PIA servlet have a long history of deserialization and authentication-bypass issues, and an unauthenticated pre-auth bug in that tier is the worst-case version of the pattern.
If you run any kind of homelab, you already know the rule that applies here: anything you expose to the public internet has to be treated as if it will be scanned within minutes and exploited within hours of a working PoC landing. Enterprises running PeopleSoft are operating under the same physics, just with hundreds of thousands of personal records behind the listening socket instead of a Jellyfin instance.
Shiny's own framing tells you the business model. "We have only just started outreach to affected orgs and are actively looking to reach an agreement," the spokesperson said, which is extortion-speak for staggered shakedowns. The group posted Nottingham, dumped the data the same day when the university refused to pay, and is sitting on the rest of the list as leverage.
What to do before the patch lands
As of writing, it is unclear whether Oracle has shipped an actual fix. Carmakal's read is that Oracle "released mitigations" and that "patches should come soon." Oracle did not respond to The Register's questions. That puts defenders in the uncomfortable window where the bug is being exploited in the wild but the permanent fix may not exist yet. Mitigation, not patching, is the order of the day.
Concrete steps worth taking now:
- Get the PIA web tier off the open internet. If self-service portals must stay reachable, put them behind a VPN, a ZTNA gateway, or at minimum a reverse proxy with strict allow-listing. The cheapest mitigation for a network-vector bug is removing the network path.
- Apply Oracle's out-of-band alert guidance immediately. Read the security alert in full rather than waiting for the next quarterly Critical Patch Update. Out-of-band releases from Oracle are rare and signal that the company considers this urgent.
- Hunt for compromise, do not assume prevention worked. This is a zero-day that was exploited before the alert existed, so patching forward does nothing for hosts already breached. Pull PIA and application server logs, look for anomalous HTTP requests to the servlet endpoints, unexpected Integration Broker activity, new admin accounts, and outbound data transfers sized like a 40 GB exfil.
- Rotate credentials and integration secrets. Full PeopleTools takeover means database credentials and integration keys should be considered exposed.
- Inventory every PeopleSoft instance you own. The 300-instance figure exists because organizations lose track of forgotten test, staging, and acquired-via-merger deployments. Shadow instances are exactly what gets popped.
The broader pattern
Two unauthenticated zero-days under active exploitation in the same week, one in Oracle's enterprise suite and one in Cisco's SD-WAN management plane, is a reminder that the highest-value targets are the management and identity tiers, not the endpoints. PeopleSoft sits on the identity and payroll data of entire institutions. SD-WAN Manager sits on the control plane of entire networks. Attackers have figured out that one pre-auth bug in the right middleware is worth more than a thousand phished laptops.
For anyone responsible for a perimeter, the takeaway is unglamorous and old: measure your actual exposure instead of trusting the architecture diagram. Scan your own external IP ranges the way ShinyHunters scans them. The 300 vulnerable instances in this story were all, at some point, somebody's assumption that the box was not reachable.
Comments
Please log in or register to join the discussion