Enterprise software giant Oracle has issued an urgent warning about a critical zero-day vulnerability affecting its PeopleSoft platform. Tracked as CVE-2026-35273, the flaw has been actively exploited in real-world attacks, enabling threat actors to gain unauthorized access to vulnerable systems and steal sensitive data.
Security experts warn that the vulnerability allows unauthenticated remote code execution, meaning attackers can execute malicious code on affected servers without needing valid login credentials. Such access could lead to data theft, system compromise, and broader intrusion into enterprise networks.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Critical Risk Assessment in PeopleTools
According to Oracle, the vulnerability impacts PeopleSoft PeopleTools versions 8.61 and 8.62. The flaw carries a CVSS severity score of 9.8 out of 10, placing it in the critical category. While a permanent security update is being prepared, Oracle has released emergency mitigation measures and urged customers to implement them immediately.
The disclosure comes amid reports of a large-scale data theft campaign targeting organizations running vulnerable PeopleSoft environments. Investigations indicate that the notorious cybercriminal group ShinyHunters has been exploiting the zero-day flaw to gain access to enterprise systems. The group reportedly claimed it used a chain of both known and previously undisclosed vulnerabilities to compromise PeopleSoft instances.
Infiltration and Data Extortion Operations
According to reports, attackers infiltrated numerous servers, downloaded sensitive information, and later attempted to extort victims by threatening to publish the stolen data. It has been alleged that nearly 300 PeopleSoft instances were affected during the campaign and that data belonging to more than 100 organizations may have been exposed. While these claims have not been independently verified in all cases, cybersecurity experts view the incident as one of the most significant enterprise software security events of the year.
ShinyHunters has been linked to several high-profile data theft operations in recent years. The threat group is known for targeting cloud services, customer relationship management platforms, and enterprise systems that store large volumes of sensitive corporate information. After obtaining access, attackers typically exfiltrate data and demand ransom payments in exchange for withholding public disclosure.
Custom Tooling and Lateral Movement
Researchers investigating the attacks also identified suspicious internet infrastructure and IP addresses allegedly associated with the campaign. Additional analysis revealed that threat actors deployed customized remote management tools on compromised systems, disguising them as legitimate services. These tools enabled attackers to maintain persistence and move laterally across internal networks, expanding their access to additional resources.
Investigations further revealed that higher education institutions were among the most heavily targeted organizations. Following reports of active exploitation, warnings were reportedly sent to more than 100 organizations worldwide believed to be at risk. Available information suggests that a significant portion of the affected entities were universities and academic institutions in the United States, highlighting the education sector as a primary focus of the campaign.
Urgent Network Perimeter Defenses
A researcher at Algoritha Security said the incident demonstrates how a single critical vulnerability in an enterprise application can result in large-scale data breaches. The expert noted that organizations exposing critical systems to the internet should regularly review security configurations, apply updates promptly, and strengthen access-control policies.
Cybersecurity professionals have advised affected organizations to immediately restrict access to sensitive PeopleSoft endpoints, examine logs for suspicious activity, and conduct comprehensive reviews of potentially compromised systems. Implementing Oracle’s recommended mitigation measures and deploying the official patch as soon as it becomes available are considered essential steps in reducing risk.
The incident serves as another reminder that zero-day vulnerabilities remain among the most dangerous threats facing enterprises today. As cybercriminal groups continue to exploit newly discovered flaws before patches are widely deployed, proactive security monitoring and rapid response measures remain critical to defending organizational networks and sensitive data.
