Oracle Patches Critical PeopleSoft Zero-Day (CVE-2026-35273) Amid Active Attacks by ShinyHunters Extortion Group

Executive Summary

Oracle has issued an out-of-band security alert and patch for a critical zero-day vulnerability, CVE-2026-35273, affecting its PeopleSoft PeopleTools enterprise software. The flaw is a remotely exploitable, unauthenticated vulnerability that can lead to remote code execution (RCE), posing a severe risk to affected organizations. The emergency action was prompted by active in-the-wild exploitation attributed to the ShinyHunters extortion group. The group claims to have breached over 100 organizations, particularly in the education sector, by chaining this zero-day with other vulnerabilities to steal large volumes of data for extortion campaigns. Organizations using PeopleSoft PeopleTools versions 8.61 and 8.62 are urged to apply the patch immediately.

Vulnerability Details

• CVE ID: CVE-2026-35273
• Product: Oracle PeopleSoft PeopleTools, versions 8.61 and 8.62
• Vulnerability Type: Unauthenticated Remote Code Execution (RCE)
• Severity: Critical (CVSS score not yet public, but RCE is typically 9.8 or higher)

The vulnerability allows a remote attacker, without needing any credentials, to execute arbitrary code on a vulnerable PeopleSoft server. This effectively gives the attacker full control over the server, allowing them to steal data, install additional malware, or pivot deeper into the victim's network.

Exploitation Status

The vulnerability is a zero-day that is confirmed to be actively exploited in the wild. The ShinyHunters threat group is using the flaw as part of a "gadget chain"—a sequence of vulnerabilities—to compromise PeopleSoft servers. Mandiant's CTO has publicly confirmed the active attacks. ShinyHunters claims to have breached over 300 instances at more than 100 organizations, with a heavy focus on universities.

One confirmed victim, the University of Nottingham, acknowledged a cybersecurity incident, and ShinyHunters later claimed to have published gigabytes of their stolen student data.

Impact Assessment

The impact of this vulnerability is critical. Successful exploitation gives attackers complete control of the PeopleSoft server, which often houses vast amounts of sensitive employee, financial, and student data. For a university, this could mean the exposure of student grades, financial aid information, and personal details for hundreds of thousands of individuals. For a corporation, it could expose payroll, HR records, and other critical business data. The consequences include massive data breaches, regulatory fines, and significant operational disruption.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to identify compromised systems:

Detection & Response

Immediate action is required for all organizations running vulnerable PeopleSoft versions.

1. Apply the Patch: The top priority is to apply the out-of-band patch provided by Oracle for CVE-2026-35273. This is a critical Software Update.
2. Hunt for Compromise: Since the vulnerability is actively exploited, patching is not enough. Organizations must assume they may already be compromised. Use the observables above to hunt for signs of attacker activity. Look for suspicious processes, unexpected outbound network connections, and newly created files in web directories.
3. Credential Reset: If any signs of compromise are found, assume all credentials on the affected server and potentially related systems have been stolen. Initiate a full credential reset for administrative and service accounts.
4. Network Isolation: Restrict access to the PeopleSoft management interface. It should not be exposed to the public internet. Use a firewall or security group to limit access to only trusted internal IP addresses.

Mitigation

Beyond the immediate patch, long-term mitigation strategies include:

• M1035 - Limit Access to Resource Over Network: Never expose administrative interfaces of enterprise applications like PeopleSoft directly to the internet. Access should be restricted via VPN or a secure bastion host.
• M1030 - Network Segmentation: Segment the network to isolate critical application servers like PeopleSoft from the general corporate network, limiting the potential for lateral movement.
• M1049 - Antivirus/Antimalware: Deploy EDR and antivirus solutions on all servers to detect and block post-exploitation tools like MeshCentral and malicious scripts.