← All articles

redaction

ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations

Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.

By Veille Luxgap 30/06/2026

On June 10, 2026, Oracle issued an emergency advisory for CVE‑2026‑35273 (PeopleSoft PeopleTools, CVSS 9.8) following active exploitation by ShinyHunters/UNC6240 between May 27 and June 9. On June 23, NAIC confirmed unauthorized access, while the group claims 3.1 TB exfiltrated and 100+ organizations targeted.

Key facts

According to Google/Mandiant, vulnerable PeopleSoft endpoints were targeted, with leaks posted as early as June 9 on ShinyHunters’ data leak site. NAIC reports compromise detected on June 11 via PeopleSoft. Oracle released a patch on June 10. Attacks and postings spanned May 27 to June 26, 2026.

Legal and regulatory context

The GDPR obligations framework (Articles 32–34) requires appropriate security measures, swift assessment, notification to the authority within 72 hours, and communication to data subjects when risk is high. Exfiltrated logs, scripts, and configs may contain personal data.

Under NIS 2 and its Luxembourg transposition, essential/important entities must notify a significant incident (early warning < 24h, notification within 72h, final report within one month), especially when a production HR/finance ERP is affected.

In financial services, DORA and CSSF expectations demand robust ICT risk governance, strong vulnerability management, and proven response and recovery capabilities.

What this changes for Luxembourg organizations

  • Immediate risk for IT/security teams operating PeopleSoft or exposed ERPs in the EU: exploitation occurred pre‑patch; leaked configs/logs/scripts facilitate re‑intrusions, extortion, and fraud.
  • NIS 2 entities should assume exposure if PeopleSoft portals were Internet‑accessible between May 27 and June 10, and promptly launch IoC checks.
  • Tight deadlines: GDPR notifications (72h) and NIS 2 (early warning < 24h, notification 72h) to be coordinated with local authorities and sectoral regulators.

Concrete actions to take this week

  • Apply Oracle’s patch for CVE‑2026‑35273, isolate any Internet‑exposed PeopleSoft portal, harden WAF/egress, disable legacy technical accounts, rotate all integration keys/secrets.
  • Run targeted threat hunting for the May 27–June 10 window: SSRF/RCE artifacts, PeopleTools endpoints, archiving/upload tools, reverse‑proxy logs, and abnormal access to file stores/S3‑compatible buckets. Document evidence and timelines.
  • Prepare compliance and communications: activate the GDPR/NIS 2 incident plan, draft the early warning and notification. For ongoing detection and response, leverage a managed SOC for incident detection.

Note

This article covers the Oracle PeopleSoft (CVE‑2026‑35273) campaign and the NAIC breach disclosed in the week of June 22–29, 2026; it does not overlap with prior incidents.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.

veille actualite rgpd nis-2 oracle shinyhunters luxembourg
LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →