Microsoft has released its largest Patch Tuesday security update on record in June 2026, fixing 206 vulnerabilities including 3 zero-day flaws (previously unknown security weaknesses that hackers were actively exploiting). This represents a significant escalation in the frequency of critical security issues across major software platforms, following the Oracle PeopleSoft attacks that targeted universities. Security researchers warn that the wave of zero-day exploits continues even after Microsoft's patches were released, suggesting attackers are developing new attack methods faster than companies can fix them.
A major cybersecurity threat has emerged after hackers exploited a previously unknown vulnerability in Oracle PeopleSoft, software used by colleges and universities to manage student records and other important information. The hacker group ShinyHunters took advantage of this security flaw, known as CVE-2026-35273, to break into multiple educational institutions and steal sensitive data.
PeopleSoft is widely used across higher education institutions to manage everything from student enrollments to financial records. Because the vulnerability had never been discovered or publicly disclosed before, it's classified as a "zero-day" attack—meaning hackers found and exploited it before the software company even knew about the problem. This gave the attackers a significant advantage.
ShinyHunters leveraged this vulnerability to launch what security experts describe as a widespread campaign targeting universities. The hackers were able to gain unauthorized access to campus computer systems, putting sensitive student and employee information at risk. Universities typically store personal details including names, addresses, social security numbers, and academic records in systems like PeopleSoft.
The attacks caught the attention of major technology and cybersecurity organizations. Google confirmed that ShinyHunters was actively exploiting the Oracle flaw, providing independent verification that the threat was genuine and widespread. This confirmation helped alert other institutions using the same software to take defensive action immediately.
Oracle, the company that owns and maintains PeopleSoft, responded quickly to the threat. The company released security patches and updates designed to close the vulnerability and prevent future attacks. These patches are patches—software updates—that fix the security hole that hackers were using to break in. Oracle also provided guidance to its customers about how to protect their systems while installing the fixes.
The incident highlights an ongoing challenge in cybersecurity: hackers are constantly searching for new vulnerabilities that software companies haven't yet discovered. Once a zero-day vulnerability is found and exploited, it can affect many organizations before a fix becomes available. Educational institutions faced particular risk because universities often manage large amounts of student and staff personal information.
Security experts recommend that organizations using Oracle PeopleSoft apply the security patches as soon as possible. This incident demonstrates why keeping software updated and maintaining strong cybersecurity practices are essential for protecting sensitive data. Universities and other institutions are reviewing their security procedures to prevent similar breaches in the future.