Oracle patches PeopleSoft zero-day used in data theft attacks

▼ Summary
– Oracle warns of a critical PeopleSoft zero-day, CVE-2026-35273, with a CVSS score of 9.8, allowing unauthenticated remote code execution.
– The vulnerability affects PeopleSoft PeopleTools versions 8.61 and 8.62, and Oracle has released emergency mitigations with a patch pending.
– The ShinyHunters extortion gang is actively exploiting this zero-day, claiming to have stolen data from 300 instances across over 100 organizations.
– Mandiant reports the attacks primarily target the U.S. education sector, using custom MeshCentral agents and staging servers to exfiltrate data.
– Mandiant advises restricting access to vulnerable endpoints, reviewing logs for specific paths, and inspecting servers for webshells or suspicious files.
Oracle has issued an urgent security alert regarding a critical PeopleSoft Suite zero-day vulnerability, designated CVE-2026-35273, which enables unauthenticated remote code execution. The flaw is currently being weaponized in ShinyHunter data theft attacks, putting countless organizations at risk.
The vulnerability resides in Oracle PeopleSoft PeopleTools and carries a CVSS base score of 9.8, marking it as critical. According to Oracle’s advisory, the flaw affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, and the company has released emergency mitigations while a full patch is in development.
“This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,” the advisory states. “This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.”
While Oracle’s advisory does not explicitly confirm active exploitation, the disclosure follows BleepingComputer’s initial report that the ShinyHunters extortion gang was leveraging a PeopleSoft zero-day to breach instances and pilfer data. BleepingComputer has since verified that this is indeed the vulnerability being exploited in those attacks.
On Tuesday, BleepingComputer uncovered a wave of data theft attacks targeting Oracle PeopleSoft, with ransom notes attributed to ShinyHunters. This well-known threat actor specializes in breaching cloud SaaS instances, CRMs, and enterprise platforms holding large volumes of corporate data. After gaining access, they exfiltrate the data and demand a ransom to prevent its public exposure.
ShinyHunters has been linked to high-profile attacks on SnowFlake, Salesforce, and third-party integration providers in recent months. The group confirmed to BleepingComputer that they are behind the PeopleSoft attacks, claiming to use a “gadget chain” of both old and zero-day flaws to compromise instances. Using this vulnerability, the threat actor allegedly stole data from 300 instances across more than 100 organizations.
Cybersecurity researcher Michael R identified several exposed online directories containing attack-related tooling and shared the following IP addresses used in the assaults: 142.11.200[.]186, 142.11.200[.]187, 142.11.200[.]188, 142.11.200[.]189, 142.11.200[.]190, 108.174.202[.]99, 176.120.22[.]24.
Mandiant released a report confirming that threat actors exploited CVE-2026-35273 as a zero-day, primarily targeting the education sector. “Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints,” Mandiant reported. “Most of these organizations were based in the United States, and 68 percent operated within the higher education sector.”
Mandiant’s report provided additional technical details, noting that attackers used exposed staging servers to host HTTP services and deployed custom MeshCentral remote management agents to communicate with attacker-controlled infrastructure disguised as Microsoft Azure services. The researchers observed threat actors conducting reconnaissance on compromised instances, mapping PeopleSoft and WebLogic configurations, and using scripts to move laterally across internal systems with stolen or hardcoded credentials.
The attackers compressed exfiltrated data and ultimately connected to a server at 176.120.22.24, which is linked to the public ShinyHunters data leak site, confirming the group’s involvement.
Mandiant advised organizations to restrict access to vulnerable PeopleSoft endpoints, review logs for suspicious requests targeting /PSEMHUB/ and /PSIGW/HttpListeningConnector, and inspect servers for signs of compromise, including:
- Unexpected .jsp webshell files in WebLogic application directories
- Unauthorized files or binaries staged in PSEMHUB transaction folders
- Suspicious directories such as logs, persistantstorage, or scratchpad
- Recently modified XML files that could maintain persistence or trigger remote code execution after a restart
This attack wave follows ShinyHunters’ recent massive breach of Instructure Canvas, which resulted in the theft of 280 million data records for students, teachers, and staff. Instructure later paid a ransom to prevent the data from being leaked.
BleepingComputer has reached out to Oracle for comment on the vulnerability and the attacks but has not yet received a response.
(Source: BleepingComputer)




