Oracle mitigates PeopleSoft zero-day exploited in data theft attacks

Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.

The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8.

“This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,” reads a new Oracle advisory.

“This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.”

Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon.

Zero-day exploited in ShinyHunter data theft attacks

While Oracle has not stated that this vulnerability is actively exploited, its disclosure comes after BleepingComputer first reported that the ShinyHunters extortion gang was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data.

BleepingComputer has since learned that this is the zero-day exploited in the attacks.

On Tuesday, BleepingComputer learned that Oracle PeopleSoft was targeted in a wave of data theft attacks that left ransom notes purportedly from the ShinyHunters extortion gang.

ShinyHunters is a well-known threat actor that commonly breaches cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data. After gaining access to an instance, they will download the data and demand a ransom to prevent its public leak.

The group has been linked to numerous high-profile attacks targeting SnowFlake, Salesforce, and third-party integration providers over the past year.

ShinyHunters confirmed to BleepingComputer that they are behind these attacks, claiming to use a “gadget chain” of old and zero-day flaws to breach PeopleSoft instances.

Using this flaw, the threat actor allegedly stole data from 300 instances for over 100 organizations.

Cybersecurity researcher “Michael R” found several exposed online directories containing attack-related tooling and shared the following IP addresses used in the attacks.

142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24

Targeting the education sector

Mandiant released a report confirming that threat actors exploited the Oracle PeopleSoft CVE-2026-35273 vulnerability as a zero-day, primarily targeting organizations in the education sector.

“Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints,” Mandiant reported.

“Most of these organizations were based in the United States, and 68 percent operated within the higher education sector.”

Mandiant’s report also shared additional technical details about the attacks, saying the threat actors used the exposed staging servers to host HTTP services and utilized custom MeshCentral remote management agents to communicate with attacker-controlled infrastructure masquerading as Microsoft Azure services.

The researchers said the threat actors conducted reconnaissance on compromised instances, mapped PeopleSoft and WebLogic configurations, and used scripts to laterally move across internal systems using stolen or hardcoded credentials.

Mandiant also said the attackers compressed exfiltrated data and ultimately connected to a server at 176.120.22.24, which is associated with the public ShinyHunters data leak site, helping link the activity to the extortion group.

As part of its guidance, Mandiant advised organizations to restrict access to vulnerable PeopleSoft endpoints, review logs for suspicious requests targeting /PSEMHUB/ and /PSIGW/HttpListeningConnector, and inspect servers for signs of compromise, including:

• Unexpected .jsp webshell files in WebLogic application directories
• Unauthorized files or binaries staged in PSEMHUB transaction folders
• Suspicious directories such as logs, persistantstorage, or scratchpad
• Recently modified XML files that could be used to maintain persistence or trigger remote code execution after a restart

ShinyHunters recently targeted the education sector in a massive cyberattack on Instructure Canvas that allowed them to steal 280 million data records for students, teachers, and staff. Instructure later paid a ransom to prevent the leaking of the stolen data.

BleepingComputer has reached out to Oracle with questions about the vulnerability and the attacks but has not received a response.