ShinyHunters exploited CVE-2026-35273, a critical Oracle PeopleSoft zero-day, to compromise more than 100 organizations. We wanted to understand how much of that exposure was detectable using only data we already hold. Only IPinfo’s passive web intelligence.
This post walks through the methodology, the signals we found, and what the results show about the scale of the problem.
Why this is hard
PeopleSoft is almost never deployed on a root domain. Real instances live on subdomains. Think [org]-hr.example.edu or hcm.[agency].gov. Standard domain-level intelligence misses them entirely. We had to get creative.
The methodology
Our scrape pipeline covers around 17.5M domains per day. It stores page titles, response headers, redirect chains, and raw HTML bodies. We applied four fingerprinting techniques, each more powerful than the last.
Step 1. Title matching on scraped root domains. We queried for PeopleSoft sign-in page titles ("Oracle | PeopleSoft Enterprise Sign-in"). This gave us a handful of confirmed instances. Most were consulting firm websites and phishing clones, not real deployments.
Step 2. HTTP header fingerprinting. The stored response headers surfaced two PeopleSoft-specific signals. The respondingwithsignonpage: true header and PSJSESSIONID session cookies. Both are emitted exclusively by PeopleSoft’s web tier. This signal is precise. It is still limited to root domains.
Step 3. URL redirect fingerprinting. This is the most reliable root-domain signal. PeopleSoft’s login URL structure is unmistakable: /psp/[instance]/[portal]/[node]/?cmd=login&languageCd=. Domains that redirect to this pattern are definitively PeopleSoft portals. There are zero false positives.
Step 4. Full HTML body scan for linked PeopleSoft URLs. This was the breakthrough. We scanned the raw HTML bodies of all 17.5M scraped pages for outbound links matching the PeopleSoft URL pattern. University and government homepages routinely link to their HR or student portals. Those links expose actual PeopleSoft subdomain hostnames that would never appear in top-level domain data.
Signal quality
| Signal | Coverage | False positives |
|---|---|---|
| Page title match | Low, root domains only | High |
HTTP header fingerprint (PSJSESSIONID, respondingwithsignonpage) |
Low, root domains only | None |
Redirect URL pattern (cmd=login&languageCd=) |
Low, root domains only | None |
| HTML body link extraction | High, finds subdomain portals | None |
The header and redirect signals are highly precise. They only catch the rare case where PeopleSoft is deployed directly on a root domain. The HTML body scan is what unlocks the long tail of real-world deployments.
What we found
From a single day’s scrape partition, the HTML body scan surfaced 24 unique PeopleSoft instance hostnames across 16 distinct organizations. We then resolved DNS and enriched each result with IPinfo’s IP to Company and ASN data.
The sector breakdown aligns closely with Google’s threat intelligence report. That report noted that 68% of the 100+ compromised organizations were in higher education.
Hosting distribution
Instances running on their own ASN are the most directly identifiable. These are universities and government agencies. They are also least shielded by CDN or cloud infrastructure. They tend to manage the most sensitive data: student records, payroll, HR systems, and citizen billing.
Geographic spread
The exposed instances span five continents. The US accounts for the majority. This is consistent with PeopleSoft’s strongest adoption market.
- North America. US universities, US municipal and state governments, a Canadian university, a Mexican technical college.
- Europe. A Belgian retailer.
- Asia. A Singaporean polytechnic, an Indonesian university, a Saudi school system.
- Africa. A South African university.
What this demonstrates
Passive web intelligence can surface real infrastructure exposure without sending a single packet to a target. It is built from daily scraping, header collection, and HTML archiving. The combination of URL pattern matching and link graph analysis reaches subdomains that conventional domain-level enrichment cannot.
For defenders, this same methodology can be used to audit your own exposure. For researchers, it shows how much signal is latent in large-scale web data when the right fingerprints are known.
Note: Specific hostnames and IP addresses have been withheld from this post. If you believe your organization may be affected, apply Oracle’s published mitigation guidance immediately and monitor for signs of lateral movement. CVE-2026-35273 carries a CVSS score of 9.8 and allows remote unauthenticated compromise.





