Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24 Targeting the education sector Mandiant released a report confirming that threat actors exploited the Oracle PeopleSoft CVE-2026-35273 vulnerability as a zero-day, primarily targeting organizations in the education sector. The issue is tracked as CVE-2026-35273. If successfully exploited, this vulnerability may result in remote code execution.” Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon.
What Happened
Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.
Further details indicate that oracle has released an out-of-band advisory and security alert for CVE-2026-35273, a critical unauthenticated remote code execution vulnerability impacting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as PeopleSoft Enterprise Applications.
The newly disclosed vulnerability is tracked as CVE-2026-35273, and Oracle says it’s a critical issue that affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.
TrendAI (Trend Micro’s enterprise business), whose researchers have been credited by Oracle for reporting CVE-2026-35273, told SecurityWeek that it’s currently seeing limited exploitation of the vulnerability, but its investigation is ongoing.
“This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,”, Spokesperson
Under the Hood
CVEs:
From a technical standpoint, the vulnerability presents several concerns:
Oracle has not said whether CVE-2026-35273 has been exploited in the wild as a zero-day, but noted in its advisory, “We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure.” Bleeping Computer and TechCrunch learned from hackers claiming to be affiliated with the ShinyHunters group that they targeted 300 PeopleSoft instances belonging to more than 100 organizations.
Zero-day exploited in ShinyHunter data theft attacks While Oracle has not stated that this vulnerability is actively exploited, its disclosure comes after BleepingComputer first reported that the ShinyHunters extortion gang was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data.
“Most of these organizations were based in the United States, and 68 percent operated within the higher education sector.” Mandiant’s report also shared additional technical details about the attacks, saying the threat actors used the exposed staging servers to host HTTP services and utilized custom MeshCentral remote management agents to communicate with attacker-controlled infrastructure masquerading as Microsoft Azure services.
Fallout
Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,” reads a new Oracle advisory. If successfully exploited, this vulnerability may result in remote code execution.” Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon. On Tuesday, BleepingComputer learned that Oracle PeopleSoft was targeted in a wave of data theft attacks that left ransom notes purportedly from the ShinyHunters extortion gang.
Key Dates
| Date | Event | |, , |, , -| | 2026 | Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unau… | | 2026 | 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24… | | 2026 | Oracle has released an out-of-band advisory and security alert for CVE-2026-35273, a critical unauthenticated remote … | | 2026 | The newly disclosed vulnerability is tracked as CVE-2026-35273, and Oracle says it’s a critical issue that affects Pe… | | 2026 | Oracle has not said whether CVE-2026-35273 has been exploited in the wild as a zero-day, but noted in its advisory, “… | | 2024 | Dustin Childs, Head of Threat Awareness at TrendAI’s Zero Day Initiative, told SecurityWeek, “Currently, we’re seeing… |
Recommended Actions
-
Google has confirmed that a PeopleSoft vulnerability mitigated by Oracle this week has been exploited by ShinyHunters as a zero-day to steal data from organizations.
-
The software giant has released mitigations, but patches do not appear to be available.
-
The tech giant said some of the targets blocked the attack, but others had their systems compromised and data stolen.
-
Related: CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk Related: Hackers Exploit Langflow Vulnerability for Remote Code Execution
-
It appears that only mitigations have been released by Oracle rather than a full patch.
Context
This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.
Sources
- https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/
- https://www.securityweek.com/google-confirms-exploitation-of-oracle-peoplesoft-zero-day-by-shinyhunters/
- https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/
- https://nvd.nist.gov/vuln/detail/CVE-2026-35273
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35273
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
CISA Warns of Oracle PeopleSoft 0-Day Vulnerability Exploited in Ransomware Attacks (CVE-2026-35273)
Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of a critical vulnerability in Oracle...
Vulnerabilities & ExploitsCisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild Vulnerability
Cisco Unified Communications Manager has a serious vulnerability, tracked as CVE-2026-20230 (CVSS score of 8.6), that attackers are already exploiting. The...
Vulnerabilities & ExploitsMicrosoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development Vulnerability
I think it even works in the case of passive mode, but not really sure, haven't tested that." Microsoft told The Hacker News last week that it's aware of the...
Vulnerabilities & ExploitsJetBrains Plugin Security Alert: 70,000+ Installs Linked to AI Key Theft Vulnerability
While these plugins function as advertised, offering features like code review, chat, and […] The post JetBrains Plugin Security Alert: 70,000+ Installs...