Oracle just got hit with its second ERP zero-day in 8 months. 100+ organizations breached. Your PeopleSoft instance is next.

ShinyHunters just compromised 300+ Oracle PeopleSoft instances across 100+ organizations.

CVSS 9.8. No authentication required. No user interaction. Just an HTTP request.

This is the second critical Oracle ERP zero-day in eight months. CVE-2025-61882 hit E-Business Suite in October. Now CVE-2026-35273 is burning through PeopleSoft. Two different product lines. Two different threat groups. Same pattern: unauthenticated RCE leading to data-theft extortion.

Universities are bearing the brunt. 68% of victims are higher education. One confirmed UK university lost 500,000 student records and 40GB of data. Kodak, Amazon One Medical, and the Council of Europe are all on the leak site.

ShinyHunters exploited this as a zero-day for two weeks before Oracle's June 10 advisory. They used automated scanning scripts to mass-compromise internet-facing PeopleSoft portals. No encryption. No ransomware. Just steal the data and threaten to leak it. Backups don't help when the leverage is exposure.

If you run PeopleSoft with the Environment Management Hub exposed to the internet, you are already a target. Patch CVE-2026-35273 immediately. Disable the EMHub service. Block /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter. Hunt for README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT across your PeopleSoft servers.

Your ERP is your crown jewels. Two zero-days in eight months means Oracle's attack surface is not shrinking. It's industrializing.

SOURCE: https://tech-insider.org/shinyhunters-oracle-peoplesoft-breach-2026/
VERIFIED: The Hacker News, Oracle Security Alert CVE-2026-35273, Mandiant/Google Threat Intelligence, Arctic Wolf
SIGNAL: ERP systems are now primary targets for organized cybercrime. If your CISO isn't treating internet-facing PeopleSoft and SAP as critical attack surface, you're already behind.