Home / The Long Read / Research
Long Read

Oracle PeopleSoft zero-day (CVE-2026-35273): how one HR platform breached 100-plus organisations

A single Oracle PeopleSoft zero-day let the ShinyHunters group breach more than 100 organisations, from the University of Nottingham to Nissan. The lesson for third-party risk teams is concentration risk: shared vendor software turns one flaw into many incidents at once.

Oracle PeopleSoft zero-day (CVE-2026-35273): how one HR platform breached 100-plus organisations
TL;DR

A single Oracle PeopleSoft zero-day let the ShinyHunters group breach more than 100 organisations, from the University of Nottingham to Nissan. The lesson for third-party risk teams is concentration risk: shared vendor software turns one flaw into many incidents at once.

Payroll software is supposed to be boring. In mid-2026, one such system became the way into more than 100 organisations at the same time. Attackers exploited a single zero-day in Oracle PeopleSoft, the platform that runs payroll, tax and personnel records for thousands of large employers, and used it to steal data from victims as different as the University of Nottingham, the carmaker Nissan and the United States National Association of Insurance Commissioners (NAIC). No single security team was beaten in isolation. They shared one dependency, and the flaw sat in the dependency. That is concentration risk, and it is why this is one third-party story rather than a hundred separate breaches.

Oracle PeopleSoft zero-day (CVE-2026-35273): the situation at a glance One shared HR and payroll platform, one flaw, more than 100 breached organisations, mid-2026. 1. A silent zero-day window silent window: attacks run before any fix exists 27 May 2026 Exploitation begins 9 June 2026 Observed window ends; 100+ orgs Mid-June 2026 Oracle discloses CVE + mitigations Late June 2026 Disclosures + leaks 2. One flaw, many downstream victims (concentration risk) ShinyHunters extortion group exploits Oracle PeopleSoft PeopleTools (shared vendor software) CVE-2026-35273 (zero-day) University of Nottingham 450,000+ students affected Nissan employee data, four countries NAIC US insurance regulatory body 100+ organisations 300+ instances (per ShinyHunters) Concentration risk: when many organisations, and their suppliers, run the same vendor product, one flaw becomes everyone's incident at once. Sources: Mandiant, Oracle, BleepingComputer. Draft diagram for Breach Wire, Supplier Shield.

What happened

The flaw, tracked as CVE-2026-35273, sits in Oracle PeopleSoft PeopleTools, the framework layer common to PeopleSoft deployments. Google's Mandiant confirmed it was exploited as a zero-day, which means the attacks ran before any fix existed, and dated the activity it observed to between 27 May and 9 June 2026. Only afterwards did Oracle disclose the vulnerability and release emergency mitigations. In that window the extortion group ShinyHunters worked at scale. It told BleepingComputer it had reached more than 300 PeopleSoft instances across roughly 100 organizations, targeting both cloud-hosted and on-premises systems, and Mandiant said it notified more than 100 affected bodies.

The downstream list keeps growing. In filings with the California Attorney General, Oracle told customers that the personnel records of hundreds of companies may have been taken. Nissan, which runs employee payroll and tax data on PeopleSoft, said current and former staff in the United States, Canada, Mexico and Brazil were affected. The University of Nottingham breach touches more than 450,000 students, according to BleepingComputer. NAIC, which detected unauthorised access on 11 June 2026, says the stolen material was mostly public filings, outdated logs and configuration files, and disputes the attacker's wider claims. Most of the victims were in the education sector, which relies heavily on PeopleSoft for student and staff systems.

Why it matters for third-party risk

Strip away the names and the pattern is plain. Thousands of organisations, and many of their suppliers, run the same product from the same vendor. A vulnerability in that product is not one company's problem. It is a correlated failure across everyone who runs it, set off on the vendor's schedule rather than yours.

Vendor registers rarely capture this. Oracle shows up as a single row, tagged as a payroll or HR provider. What the row does not show is how many critical processes ride on PeopleSoft inside your own walls, how many of your suppliers run it too, and how quickly Oracle can ship a fix when a zero-day lands. For firms in scope of the EU Digital Operational Resilience Act (DORA) or the NIS2 directive, that blind spot is now a supervisory matter as well as a security one, since both regimes ask organisations to understand ICT concentration and their fourth-party dependencies. This incident is a clean example of the risk those rules are aimed at.

Why the vendor register missed it A single row hides a shared dependency. That gap is where concentration risk lives. What the register shows 'Oracle' = one line item tagged: HR / payroll vendor one risk owner, annual review What is actually true PeopleSoft underpins payroll, HR and student records used by you, your peers, and your suppliers What the zero-day does CVE-2026-35273 triggers a correlated failure across all of them at the same time, on the vendor's timeline The fix Map shared-platform dependencies Monitor vendor patch speed The register gap, in one line: You can list a vendor without knowing how many critical processes, yours and your suppliers', sit on top of its software. DORA and NIS2 both push firms to close exactly this blind spot: ICT concentration and fourth-party dependency. Draft diagram for Breach Wire, Supplier Shield.

What teams should take from it

Three moves are worth making now. First, map shared platforms: tag which internal systems and which suppliers depend on the same core software, especially ERP, HR and identity, so you can estimate a blast radius the moment an advisory appears rather than days later. Second, treat vendor patch speed as a measured control. Know in advance how each critical supplier discloses and remediates a zero-day, because that response time sets the size of your exposure window. Third, rehearse the shared-platform scenario in a tabletop exercise: a core vendor has an unpatched, actively exploited flaw, and the team has to decide who is accountable, what can be isolated, and what to tell staff whose payroll data is at risk.

For third-party risk teams, this is where continuous vendor monitoring proves more useful than a once-a-year questionnaire, because the risk here changed in days, not quarters.

FAQ

What is CVE-2026-35273?

It is a zero-day vulnerability in Oracle PeopleSoft PeopleTools, the framework shared across PeopleSoft deployments. Mandiant says it was exploited between 27 May and 9 June 2026, before a patch existed. Oracle has since disclosed the flaw and issued emergency mitigations.

Why is this a third-party incident and not a normal breach?

Because the victims were compromised through a shared piece of vendor software, not through their own bespoke systems. One provider's flaw exposed many downstream customers at the same time, which is the defining feature of software supply-chain and ICT concentration risk.

What should organisations running PeopleSoft do now?

Apply Oracle's mitigations and updates for CVE-2026-35273, hunt for signs of unauthorised access dating back to late May 2026, and map which business processes and suppliers depend on the platform so the potential impact is clear.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

One email platform run by KDDI exposed the logins of up to 14.2 million customers across six Japanese internet providers. The lesson for third-party risk teams is concentration and fourth-party risk: many brands on one shared supplier system, breached through a third-party software flaw.

Read article
iRhythm breach: how patient data left through third-party-hosted business apps

iRhythm breach: how patient data left through third-party-hosted business apps

Cardiac-monitoring firm iRhythm says attackers took patient health data, proprietary data and personal information from third-party-hosted business applications, not from its clinical systems. For third-party risk teams the lesson is that regulated data often lives with a vendor, and that is where it leaves.

Read article
Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers

Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers

The Icarus extortion group stole the OAuth tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. For third-party risk teams the lesson is fourth-party risk: a connected SaaS app can turn a supplier's breach into your data loss.

Read article
Oracle PeopleSoft zero-day breaches 100+ organisations | Breach Wire | Supplier Shield