CVE 2026 35273 hits PeopleTools 8.61 and 8.62 as a pre authentication remote code execution flaw, the University of Nottingham has confirmed a significant data breach, and Oracle is calling its response "high priority" because it has not yet shipped a full patch.
A pre-authentication remote code execution flaw in PeopleSoft Enterprise sits in the worst possible place for a corporate network: a perimeter-facing enterprise resource planning (ERP) system that runs human resources, payroll, finance, and student records. Oracle has shipped mitigations, not a fix, and reports already place roughly 300 PeopleSoft instances at more than 100 organizations in the crosshairs of the ShinyHunters threat actor, according to SecurityWeek and BleepingComputer.
The vulnerability is tracked as CVE-2026-35273 and affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, with PeopleSoft Enterprise Applications users potentially impacted as well. Oracle rated the issue critical — CVSS 9.8 out of 10 — in its out-of-band security alert and recommended that organizations treat the mitigations as a high-priority, immediate-action risk, per SecurityWeek's read of the advisory.
The gap between a mitigation and a patch is the editorial point. A mitigation is a configuration change or compensating control. A patch is a code-level fix that closes the underlying defect. For a pre-auth RCE on an internet-reachable ERP, only the second returns the system to a known-good state, and Oracle has explicitly not shipped one in this advisory cycle, per the Oracle advisory itself.
ShinyHunters has a documented prior pattern, including the Salesforce data-theft campaign reported earlier this year. The group told BleepingComputer it is using a "gadget chain" of old and zero-day vulnerabilities to conduct the attacks, chaining them to reach internet-exposed ERP instances. SecurityWeek and BleepingComputer both reported on this targeting claim, which has been corroborated by researcher "Michael R" who found exposed directories containing attack tooling and staging materials including MeshCentral agents and a credential spray script.
The education sector is the primary target. The threat actor told BleepingComputer that most impacted organizations are in education, and one institutional victim has gone on the record: the University of Nottingham has confirmed a significant data breach tied to this campaign, per BleepingComputer and SecurityWeek. The university released a public statement acknowledging a cybersecurity incident, and ShinyHunters has listed the university's data on its leak site, according to BleepingComputer. BleepingComputer and TechCrunch learned from hackers claiming affiliation with ShinyHunters that they targeted 300 PeopleSoft instances across more than 100 organizations, with the education sector hit hardest. Researcher Michael R independently documented exposed infrastructure and tooling associated with these attacks, and Mandiant CTO Charles Carmakal has warned publicly about zero-day exploitation targeting PeopleSoft.
Oracle itself has not publicly confirmed in-the-wild exploitation in its advisory. That silence sits in a strange place: a critical, pre-authentication RCE in an internet-reachable ERP, mitigations rather than a fix, a named threat actor, a named university victim, and an industry-specific concentration of targets, per Oracle's advisory and SecurityWeek's reporting.
BleepingComputer obtained and published shell scripts used in the attacks and a list of IP addresses associated with the campaign — 142.11.200.186 through 142.11.200.190, 108.174.202.99, and 176.120.22.24 — some using TLS certificates with a common name of "azurenetfiles.Jnet," a domain previously linked to ShinyHunters.
The practical checklist for an operator running PeopleTools 8.61 or 8.62 is the one Oracle has already published: apply the recommended mitigations now, treat the issue as a high-priority risk, audit PeopleSoft Enterprise Applications environments for related exposure, and watch for the full patch Oracle has not yet shipped, [as Oracle's advisory summarizes.
The vulnerability was discovered and reported to Oracle by Bobby Gould and Lucas Miller of Trend Micro's Zero Day Initiative, and Minh Giang of the Zero Day Initiative, per Oracle's advisory credit statement.