Oracle mitigates PeopleSoft zero-day exploited in data theft attacks

142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24 Targeting the education sector Mandiant released a report confirming that threat actors exploited the Oracle PeopleSoft CVE-2026-35273 vulnerability as a zero-day, primarily targeting organizations in the education sector. The issue is tracked as CVE-2026-35273. If successfully exploited, this vulnerability may result in remote code execution.” Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon.

What Happened

Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.

Further details indicate that oracle has released an out-of-band advisory and security alert for CVE-2026-35273, a critical unauthenticated remote code execution vulnerability impacting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as PeopleSoft Enterprise Applications.

The newly disclosed vulnerability is tracked as CVE-2026-35273, and Oracle says it’s a critical issue that affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.

TrendAI (Trend Micro’s enterprise business), whose researchers have been credited by Oracle for reporting CVE-2026-35273, told SecurityWeek that it’s currently seeing limited exploitation of the vulnerability, but its investigation is ongoing.

“This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,”, Spokesperson

Under the Hood

CVEs:

• CVE-2026-35273

From a technical standpoint, the vulnerability presents several concerns:

Oracle has not said whether CVE-2026-35273 has been exploited in the wild as a zero-day, but noted in its advisory, “We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure.” Bleeping Computer and TechCrunch learned from hackers claiming to be affiliated with the ShinyHunters group that they targeted 300 PeopleSoft instances belonging to more than 100 organizations.

Zero-day exploited in ShinyHunter data theft attacks While Oracle has not stated that this vulnerability is actively exploited, its disclosure comes after BleepingComputer first reported that the ShinyHunters extortion gang was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data.

“Most of these organizations were based in the United States, and 68 percent operated within the higher education sector.” Mandiant’s report also shared additional technical details about the attacks, saying the threat actors used the exposed staging servers to host HTTP services and utilized custom MeshCentral remote management agents to communicate with attacker-controlled infrastructure masquerading as Microsoft Azure services.

Fallout

Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,” reads a new Oracle advisory. If successfully exploited, this vulnerability may result in remote code execution.” Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon. On Tuesday, BleepingComputer learned that Oracle PeopleSoft was targeted in a wave of data theft attacks that left ransom notes purportedly from the ShinyHunters extortion gang.

Key Dates

| Date | Event | |, , |, , -| | 2026 | Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unau… | | 2026 | 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24… | | 2026 | Oracle has released an out-of-band advisory and security alert for CVE-2026-35273, a critical unauthenticated remote … | | 2026 | The newly disclosed vulnerability is tracked as CVE-2026-35273, and Oracle says it’s a critical issue that affects Pe… | | 2026 | Oracle has not said whether CVE-2026-35273 has been exploited in the wild as a zero-day, but noted in its advisory, “… | | 2024 | Dustin Childs, Head of Threat Awareness at TrendAI’s Zero Day Initiative, told SecurityWeek, “Currently, we’re seeing… |

Recommended Actions

1. Google has confirmed that a PeopleSoft vulnerability mitigated by Oracle this week has been exploited by ShinyHunters as a zero-day to steal data from organizations.

2. The software giant has released mitigations, but patches do not appear to be available.

3. The tech giant said some of the targets blocked the attack, but others had their systems compromised and data stolen.

4. Related: CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk Related: Hackers Exploit Langflow Vulnerability for Remote Code Execution

5. It appears that only mitigations have been released by Oracle rather than a full patch.

Context

This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.

Sources

1. https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
2. https://www.bleepingcomputer.com/news/security/oracle-mitigates-peoplesoft-zero-day-exploited-in-data-theft-attacks/
3. https://www.securityweek.com/google-confirms-exploitation-of-oracle-peoplesoft-zero-day-by-shinyhunters/
4. https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/
5. https://nvd.nist.gov/vuln/detail/CVE-2026-35273
6. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35273