Oracle has released an emergency out-of-band security alert for CVE-2026-35273, a critical authentication bypass in PeopleSoft Campus Solutions that has been actively exploited by the ShinyHunters threat group against higher education institutions. The vulnerability, rated CVSS 9.8, requires no authentication and provides direct access to student information systems that hold enrolment data, financial aid records, academic transcripts, student Social Security numbers, and financial account information.
At least twelve universities across the United States, United Kingdom, and Australia have been identified as victims in the ongoing campaign, which Oracle and Mandiant assess began on or before 9 June 2026. ShinyHunters — responsible for the 2026 Council of Europe breach and repeated education sector targeting — has listed multiple institutional victim datasets on criminal forums, with samples containing several hundred thousand student records apiece.
Vulnerability Details
CVE-2026-35273 is located in PeopleSoft’s PIA (PeopleSoft Internet Architecture) web tier, specifically in the authentication token validation routine for the Campus Community module. An attacker who sends a specially crafted HTTP request to a publicly accessible PeopleSoft PIA endpoint can bypass the token validation check entirely, receiving a valid authenticated session for an administrative-level user account without supplying credentials.
The vulnerability is exploitable against PeopleSoft Campus Solutions 9.2 via any internet-accessible PIA node. Because PeopleSoft is commonly deployed with PIA nodes behind load balancers and reverse proxies, organisations may incorrectly believe the management interface is not internet-accessible — exploitation does not require access to the administrative back-end, only to the standard PIA web interface used by students and staff for self-service access.
Affected versions: PeopleSoft PeopleTools 8.54 through 8.60 (all patch bundles up to and including June 2026 Critical Patch Update).
Fix: Emergency patch delivered via Oracle Support (Doc ID 2026-35273.8) — separate from the quarterly Critical Patch Update cycle.
Why Higher Education Is a Persistent Target
University PeopleSoft deployments aggregate an unusually sensitive data combination: Social Security numbers collected for federal financial aid (FAFSA), financial account details for tuition payment and refund processing, academic records including grade manipulation risk, and health insurance enrolment data for student plans. The breadth of personally identifiable information in a single platform makes breaches of campus student information systems disproportionately valuable for identity fraud operations.
ShinyHunters has consistently targeted higher education since its Infinite Campus campaign in March 2026, and this Oracle PeopleSoft exploitation continues a strategy of identifying shared enterprise SIS (Student Information System) platforms with broad university adoption, exploiting a single vulnerability to compromise multiple institutions simultaneously through a coordinated campaign rather than individually targeting each institution.
FERPA (Family Educational Rights and Privacy Act) obligations in the United States require institutions to notify affected students of breaches involving educational records. In the UK, university student records typically include special category data under GDPR, triggering 72-hour supervisory authority notification requirements for institutions that determine exploitation occurred.
Detection and Assessment
Institutions running PeopleSoft Campus Solutions should:
- Search web access logs for the PIA application tier for unexpected high-volume GET requests to PeopleCode pages within the Campus Community module, particularly between 9 June and today — ShinyHunters typically stages exfiltration via bulk HTTP requests to student record export functions
- Check PeopleSoft audit logging (PS_AUDIT_ACTN table or equivalent) for authentication events where the operator ID does not correspond to a session that passed through your identity provider
- Review PIA error logs for authentication bypass indicators — Oracle’s security alert includes specific log patterns and request signatures associated with CVE-2026-35273 exploitation
- Engage Oracle Support to request the forensic analysis tool published alongside the emergency patch, which scans the PIA tier for IOCs
Regulatory Obligations
US institutions: FERPA notification to affected students is required when education records are disclosed without authorisation. Contact the Department of Education’s Student Privacy Policy Office for breach reporting guidance. Financial aid data exposure may also trigger Title IV compliance review.
UK institutions: notify the ICO within 72 hours of becoming aware of a personal data breach. Student records containing financial data likely qualify as significant harm under ICO’s breach severity framework.
Australian universities: notify the OAIC under the Notifiable Data Breaches scheme; the Australian Cyber Security Centre (ACSC) has also issued an alert advising immediate patching.
Recommended Actions
- Apply the Oracle emergency patch immediately — Oracle Doc ID 2026-35273.8 is available via My Oracle Support; do not wait for the July 2026 quarterly CPU
- Restrict PIA internet exposure immediately while the patch is applied — if operationally feasible, temporarily restrict external access to the PIA tier to on-campus IP ranges via upstream load balancer or firewall configuration
- Conduct a forensic log review covering the period from 9 June to today — treat any unexplained administrative sessions during this period as indicative of exploitation
- Notify legal and compliance teams immediately — breach notification timelines under FERPA, GDPR, and NDB begin from when the institution reasonably suspects compromise, not from confirmed attribution
- Engage your cyber insurance carrier — incident costs for higher education PeopleSoft breaches may trigger coverage; notify early as insurers often require involvement in containment decisions
Share this article