Oracle Mitigates Critical PeopleSoft Zero-Day Exploited by ShinyHunters in Data Theft Campaign

Oracle has issued an emergency mitigation for a critical zero-day vulnerability in its PeopleSoft suite after the ShinyHunters extortion gang exploited the flaw to breach more than 300 instances and steal data from over 100 organizations.

The vulnerability, tracked as CVE-2026-35273, carries a CVSS base score of 9.8 and resides within Oracle PeopleSoft PeopleTools. It allows unauthenticated remote code execution, meaning attackers can compromise an exposed system without valid credentials.

"This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution," Oracle said in a security advisory.

The flaw affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Oracle said emergency mitigations are now available, with a full patch forthcoming.

Although Oracle's advisory did not explicitly acknowledge active exploitation, Charles Carmakal, CTO at Mandiant — Google Cloud, confirmed on LinkedIn that CVE-2026-35273 is being actively exploited and that Oracle had released mitigations for the flaw.

ShinyHunters confirmed to BleepingComputer that the group is behind the attacks, describing its method as a "gadget chain" combining older vulnerabilities with the newly disclosed zero-day to gain entry into PeopleSoft instances. Once inside, the group downloads corporate data and issues ransom demands threatening public disclosure.

The threat actor is well known for targeting cloud SaaS platforms, CRM systems, and enterprise applications that hold large volumes of sensitive corporate data. ShinyHunters has previously been linked to attacks on Snowflake, Salesforce, and third-party integration providers.

Cybersecurity researcher "Michael R" identified several exposed online directories containing attack-related tooling and disclosed a set of IP addresses associated with the campaign. Organizations running PeopleSoft are advised to review their logs for connections from those addresses to determine whether they were targeted.

The IP addresses flagged include 142.11.200[.]186 through 142.11.200[.]190, as well as 108.174.202[.]99 and 176.120.22[.]24.

The scale of the campaign — data allegedly stolen from more than 100 organizations across more than 300 compromised instances — underscores the exposure risk for enterprise platforms that have not yet applied available mitigations.

Oracle did not respond to requests for additional comment on the vulnerability or the scope of the attacks.

With a patch still pending, security teams running affected PeopleSoft versions face a narrow window to apply Oracle's interim mitigations, audit network logs, and assess whether their environments were among those targeted in the campaign.