On June 10, Oracle pushed an emergency out-of-band fix for CVE-2026-35273, a critical PeopleSoft flaw that the ShinyHunters extortion crew has been quietly using as a zero-day since late May. More than 100 organizations have already been hit and CISA added the bug to its Known Exploited Vulnerabilities catalog on June 12 with a three-day federal patching deadline. Most York County small businesses don't run PeopleSoft themselves — but the universities, hospitals, payroll processors, and government agencies that hold your data often do, and that is the risk to manage this week.

What the bug actually does

CVE-2026-35273 is a critical PeopleSoft Suite zero-day that allows unauthenticated remote code execution, with a CVSS base score of 9.8. In plain English: an attacker on the internet, with no password and no user clicking anything, can take full control of a PeopleSoft server just by sending it traffic.

The flaw sits in PeopleSoft Enterprise PeopleTools and needs no login and no user interaction, just network access over HTTP, to take over the server. If you run PeopleSoft with the Environment Management Hub reachable from outside, that is your exposure, and the immediate move is to lock those endpoints down. Oracle's guidance is to disable the Environment Management Hub service on multi-server setups, or remove the PSEMHUB application outright on single-server setups.

Who is actually getting hit

Google's Mandiant attributes the campaign to the group it tracks as UNC6240 — better known as ShinyHunters — and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.

As of June 10, 2026, ShinyHunters claims to have stolen data from more than 100 organizations by compromising approximately 300 PeopleSoft instances. A confirmed victim, the University of Nottingham, has publicly acknowledged the breach, with 454,600 current and former students' personal and academic records already published on the group's leak site.

Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. Sixty-eight percent were in higher education, most of them in the United States. PeopleSoft also runs HR, payroll, finance, and supply-chain functions at hospitals, large employers, and government agencies — exactly the third parties that hold small-business and employee data.

Why this matters to a small business that doesn't run PeopleSoft

If you're a 20-person firm in York County, you almost certainly don't have a PeopleSoft server. You don't need to. Your payroll processor, your benefits broker, your bank, the college your interns attend, and the health system that holds your employees' insurance data may all run it. When ShinyHunters dumps tens of gigabytes from one of those vendors, your people's Social Security numbers and direct-deposit details get dumped with it.

The pattern this story really highlights is vendor risk. Have I Been Pwned has counted about 455,000 unique email addresses in the leaked set, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. Expect the usual follow-on wave: targeted phishing emails to those addresses, fake "benefits update" messages, and fraudulent password-reset attempts against your Microsoft 365 tenant within days. That's what a good managed IT and cybersecurity program watches for after a major third-party dump.

There's also a new CISA rule in play

On June 10, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04, "Prioritizing Security Updates Based on Risk." It only legally binds federal civilian agencies, but it sets the standard everyone else gets judged against — including your cyber-insurance underwriter.

BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, agencies need to fix it within three days and carry out a "forensic triage" to assess whether their systems were compromised. CVE-2026-35273 was the first bug added to the KEV catalog under the new rules, with a due date of June 15, 2026. Translation: if your MSP can't tell you within 72 hours whether you're exposed to a top-tier KEV bug and whether you've been touched by it, that is now the federal benchmark you're falling short of.

What your MSP should be doing this week

Three things, in order:

1. **Vendor exposure inventory.** Ask your payroll, HR, benefits, and banking vendors in writing whether they run Oracle PeopleSoft PeopleTools 8.61 or 8.62, whether the Environment Management Hub was internet-exposed, and what their forensic-triage findings are. Keep the answers in your file.

2. **Identity-side hardening.** Assume some employee email addresses and phone numbers are already in attacker hands. Enforce phishing-resistant MFA on Microsoft 365, lock down legacy authentication, and turn on impossible-travel and risky-sign-in alerts.

3. **Watch for the follow-on phishing wave.** Brief staff that any "urgent" message about benefits, transcripts, or HR records over the next 30 days should be verified by phone before clicking. This is exactly the kind of repetitive triage work that small AI assistants are good at — flagging suspicious inbound mail, pulling sender reputation, and routing the weird ones to a human.

What York Businesses Should Do

York County small businesses don't need to panic about Oracle directly, but you should email every vendor that touches your employee data this week and ask whether they were affected by CVE-2026-35273. If you'd rather not write that letter yourself, York Computer can run the vendor questionnaire and the Microsoft 365 lockdown for you.

ShinyHunters Burns an Oracle PeopleSoft Zero-Day — Why Your Vendors' Breach Is Your Problem