Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.
The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8.
"This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability," reads a new Oracle advisory.
"This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution."
Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released
emergency mitigations to address the flaw, with a patch coming soon.
Zero-day exploited in ShinyHunter data theft attacks
While Oracle has not stated that this vulnerability is actively exploited, its disclosure comes after
BleepingComputer first reported that the ShinyHunters extortion gang was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data.
BleepingComputer has since learned that this is the zero-day exploited in the attacks.
Charles Carmakal, CTO at Mandiant - Google Cloud, also confirmed on
LinkedIn that CVE-2026-35273 is actively exploited and stated that Oracle released mitigations for the flaw.
On Tuesday, BleepingComputer learned that Oracle PeopleSoft was targeted in a wave of data theft attacks that left ransom notes purportedly from the ShinyHunters extortion gang.
ShinyHunters is a well-known threat actor that commonly breaches cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data. After gaining access to an instance, they will download the data and demand a ransom to prevent its public leak.
The group has been linked to numerous high-profile attacks targeting
SnowFlake, Salesforce, and third-party integration providers over the past year.
ShinyHunters confirmed to BleepingComputer that they are behind these attacks, claiming to use a "gadget chain" of old and zero-day flaws to breach PeopleSoft instances.
Using this flaw, the threat actor allegedly stole data from 300 instances for over 100 organizations.
Cybersecurity researcher "
Michael R" found several exposed online directories containing attack-related tooling and shared the following IP addresses used in the attacks.
142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24
If you are running Oracle PeopleSoft, it is strongly advised that you analyze logs for any connections from the above IP addresses to determine whether you were targeted in these attacks.
BleepingComputer has reached out to Oracle with questions regarding this vulnerability and the attacks, but has not received a response.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
