PeopleSoft Zero-Day Exposes Firms, Oracle Has No Patch

Oracle's emergency response is a mitigation, not the full patch administrators want, and it lands after a PeopleSoft zero-day was linked to live ShinyHunters data theft attacks.

The flaw, tracked as CVE-2026-35273, sits in Oracle PeopleSoft PeopleTools and allows unauthenticated remote code execution, according to BleepingComputer. Oracle assigned it a CVSS base score of 9.8 and said affected customers should act now while a patch is still pending.

Oracle issues mitigations, not a full patch, for CVE-2026-35273

Oracle said the vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. PeopleSoft Enterprise Applications customers may also be affected.

The company’s advisory is blunt about the technical risk.

"This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution."

That combination is the nightmare version of an enterprise software bug. No valid username. No stolen password required. If the system is exposed and vulnerable, the attacker may be able to run code remotely.

Oracle has released emergency mitigations for the flaw. BleepingComputer reports that a patch is coming soon, which means administrators are operating in the uncomfortable gap between public disclosure and a complete fix.

The tension is clear:

• Expected: A critical enterprise zero-day gets a patch before widespread public detail.
• Reality: Oracle has issued mitigations while reports tie the flaw to active data theft.
• Immediate risk: Exposed PeopleSoft systems now become urgent review targets.
• Unknown: Oracle has not publicly confirmed exploitation in its advisory.

BleepingComputer said it first reported that the ShinyHunters extortion gang was exploiting a PeopleSoft zero-day to breach instances and steal data. It later learned that the exploited flaw is CVE-2026-35273.

Charles Carmakal, CTO at Mandiant, Google Cloud, also confirmed on LinkedIn that the vulnerability is being actively exploited and said Oracle had released mitigations.

Unauthenticated PeopleSoft RCE puts HR, payroll, finance and campus systems in the blast radius

PeopleSoft matters because it sits close to an organization’s most sensitive operational data. SecurityWeek describes it as an integrated ERP suite used by large organizations for HR, payroll, finance, supply chain and campus operations.

That makes this zero-day attractive to a data theft crew. A compromised PeopleSoft environment can contain employee records, payroll information, financial workflows, student data or internal administrative records, depending on how an organization uses it.

ShinyHunters claimed to BleepingComputer that it used a "gadget chain" of old and zero-day flaws to breach PeopleSoft instances. The group also claimed it stole data from 300 instances across more than 100 organizations.

Oracle has not said in its public advisory that CVE-2026-35273 is being exploited in the wild. That silence matters, but it doesn’t erase the reporting from BleepingComputer or the confirmation from Carmakal.

This is where enterprise risk gets ugly. The official vendor language says mitigation. The threat reporting says active exploitation. Security teams have to respond to the second reality, not wait for the first one to get more detailed.

For readers tracking adjacent vulnerability coverage, XOOMAR has also covered 4-Hour BitLocker Zero-Day Opens Windows SYSTEM Shell and Langflow Flaw Lets Hackers Write Files on AI Servers. The common thread is exposure speed: once a practical path exists, defenders lose time fast.

ShinyHunters link turns a software flaw into an extortion problem

BleepingComputer describes ShinyHunters as a threat actor known for breaching cloud SaaS instances, CRMs and enterprise platforms that store large volumes of corporate data. After access, the group downloads data and demands payment to prevent public leaks.

The group has been linked to attacks targeting SnowFlake, Salesforce and third-party integration providers over the past year, according to the same report.

That history matters because the PeopleSoft activity appears to follow the same commercial logic. The target isn’t just the server. It’s the data behind the server.

BleepingComputer reported Tuesday that Oracle PeopleSoft was hit in a wave of data theft attacks that left ransom notes purportedly from ShinyHunters. ShinyHunters later confirmed to BleepingComputer that it was behind the attacks.

SecurityWeek reported that the education sector was hit hardest and that the University of Nottingham is one of the victims. The university has confirmed it suffered a significant data breach, according to SecurityWeek.

A researcher identified as "Michael R" found exposed online directories containing attack-related tooling and shared IP addresses used in the attacks. BleepingComputer advised PeopleSoft customers to check logs for connections from those IPs:

142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24

That is the most concrete hunting lead in the public reporting so far.

PeopleSoft admins have a narrow window before copycat pressure builds

The immediate action is not subtle. Organizations running Oracle PeopleSoft should review Oracle’s advisory, apply the emergency mitigations and check whether they run affected PeopleTools 8.61 or 8.62 deployments.

BleepingComputer specifically advises customers to analyze logs for connections from the listed IP addresses to determine whether they were targeted. That should be the starting point, not the finish line.

Oracle has not provided full public technical detail in the advisory. That restraint is normal for a live critical flaw because more detail can help defenders and attackers at the same time.

The practical question now is whether mitigation closes enough of the attack path until Oracle ships the patch. If exposed PeopleSoft instances remain reachable and unmitigated, ShinyHunters may not be the only actor interested for long.

BleepingComputer said it contacted Oracle with questions about the vulnerability and the attacks but had not received a response. SecurityWeek also said Oracle had not responded by the time of writing.

The next signals to watch are specific: Oracle’s full patch timing, any new technical indicators, confirmation of additional victims and whether other threat groups start using CVE-2026-35273 now that the flaw is public. For now, the safest assumption for exposed PeopleSoft systems is that mitigation is urgent and log review can’t wait.

Impact Analysis

• The flaw allows unauthenticated remote code execution in affected PeopleSoft PeopleTools systems.
• Oracle has released mitigations, but a full patch is still pending.
• Reported exploitation tied to ShinyHunters means exposed enterprise systems need immediate review.