What Happened
On June 12, 2026, CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities Catalog, formally confirming active exploitation of a critical zero-day in Oracle PeopleSoft Enterprise PeopleTools. The flaw is a missing authentication vulnerability rated CVSS 9.8. An attacker with network access over HTTP can take full control of a PeopleSoft server without supplying credentials or requiring any interaction from a logged-in user.
Mandiant and Google Threat Intelligence Group confirmed that ShinyHunters — tracked as UNC6240 — exploited this vulnerability between May 27 and June 9, 2026, compromising more than 100 organizations across 300 vulnerable instances. The group targeted higher education almost exclusively: 68 percent of confirmed victims operated in the post-secondary sector. The University of Nottingham confirmed that nearly 455,000 unique email addresses were leaked, including names, home addresses, passport numbers, ethnicity data, and disability details. Oracle published an out-of-band advisory on June 10, and CISA’s KEV addition sets a July 3, 2026 federal remediation deadline.
Why This Matters for Canadian Organizations
PeopleSoft is the dominant enterprise resource planning platform in Canadian post-secondary education. Universities and colleges across Canada use PeopleSoft Human Capital Management, Campus Solutions, and Financials to manage student records, payroll, and financial aid. A successful exploit of CVE-2026-35273 gives an attacker unauthenticated server-level access, which means they can extract complete student and employee databases, modify financial records, and use the server as a pivot point into the broader institutional network.
Under PIPEDA and provincial privacy legislation including Alberta’s PIPA, British Columbia’s PIPA BC, and Ontario’s FIPPA, a breach of this nature — exposing passport numbers, disability status, and home addresses — triggers mandatory breach notification obligations to the Office of the Privacy Commissioner and affected individuals. ShinyHunters operates a double-extortion model: they publish stolen data publicly if ransom demands go unmet, compressing the notification window for institutions. Canadian government departments running PeopleSoft for HR and payroll face the same exposure. The CCCS has not yet issued a formal advisory, but organizations should treat the CISA KEV entry as equivalent guidance.
What to Do
Apply Oracle’s emergency patch for CVE-2026-35273 immediately. Affected versions are PeopleSoft Enterprise PeopleTools 8.61 and 8.62. If patching cannot proceed immediately, take PeopleSoft internet-facing interfaces offline or restrict access to trusted IP ranges at the network perimeter. Rotate all PeopleSoft service account credentials and database passwords as a precaution. Review web server and application logs for HTTP requests consistent with unauthenticated PeopleTools API access between May 27 and June 12. If evidence of unauthorized access exists, notify your privacy officer and begin the breach assessment process required under applicable privacy legislation. All confirmed breaches of personal data at Canadian post-secondary institutions must be assessed against PIPEDA’s “real risk of significant harm” threshold.
Original reporting: The Hacker News, BleepingComputer, SecurityWeek
