Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.
The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8.
“This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,” reads a new Oracle advisory.
“This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.”
Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon.
Zero-day exploited in ShinyHunter data theft attacks
While Oracle has not stated that this vulnerability is actively exploited, its disclosure comes after BleepingComputer first reported that the ShinyHunters extortion gang was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data.
BleepingComputer has since learned that this is the zero-day exploited in the attacks.
On Tuesday, BleepingComputer learned that Oracle PeopleSoft was targeted in a wave of data theft attacks that left ransom notes purportedly from the ShinyHunters extortion gang.
ShinyHunters is a well-known threat actor that commonly breaches cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data. After gaining access to an instance, they will download the data and demand a ransom to prevent its public leak.
The group has been linked to numerous high-profile attacks targeting SnowFlake, Salesforce, and third-party integration providers over the past year.
ShinyHunters confirmed to BleepingComputer that they are behind these attacks, claiming to use a “gadget chain” of old and zero-day flaws to breach PeopleSoft instances.
Using this flaw, the threat actor allegedly stole data from 300 instances for over 100 organizations.
Cybersecurity researcher “Michael R” found several exposed online directories containing attack-related tooling and shared the following IP addresses used in the attacks.
142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24
After BleepingComputer published this article, Mandiant released a report confirming that threat actors exploited the Oracle PeopleSoft CVE-2026-35273 vulnerability as a zero-day, primarily targeting organizations in the education sector.
“Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints,” Mandiant reported.
“Most of these organizations were based in the United States, and 68 percent operated within the higher education sector.”
Mandiant’s report also shared additional technical details about the attacks, including the use of customized MeshCentral remote management agents disguised as Microsoft Azure services and infrastructure used to stage tools and manage compromised systems.
The researchers said the threat actors conducted reconnaissance on compromised networks, mapped PeopleSoft and WebLogic configurations, and used scripts to laterally move across internal systems.
Mandiant advised organizations to immediately restrict access to sensitive PeopleSoft endpoints tied to the exploit chain, review logs for suspicious requests targeting /PSEMHUB/ and /PSIGW/HttpListeningConnector, and inspect systems for signs of webshells, unauthorized files, or other indicators of compromise.
BleepingComputer has reached out to Oracle with questions about the vulnerability and the attacks but has not received a response.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
