THREATNOIR
Subscribe
Back to Feed
VulnerabilitiesJun 11, 2026

Oracle mitigates PeopleSoft zero-day exploited in data theft attacks

Oracle PeopleSoft zero-day (CVE-2026-35273) exploited by ShinyHunters for data theft.

Read at source

Summary

Oracle has issued a warning about a critical zero-day vulnerability, CVE-2026-35273, in PeopleSoft PeopleTools that allows unauthenticated remote code execution. This flaw has been actively exploited by the ShinyHunters threat actor in data theft attacks, targeting over 100 organizations and impacting approximately 300 instances. Oracle has released emergency mitigations and is preparing a patch.

Full text

Oracle mitigates PeopleSoft zero-day exploited in data theft attacks By Lawrence Abrams June 11, 2026 03:39 PM 0 Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks. The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8. "This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability," reads a new Oracle advisory. "This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution." Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon. Zero-day exploited in ShinyHunter data theft attacks While Oracle has not stated that this vulnerability is actively exploited, its disclosure comes after BleepingComputer first reported that the ShinyHunters extortion gang was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data. BleepingComputer has since learned that this is the zero-day exploited in the attacks. Charles Carmakal, CTO at Mandiant - Google Cloud, also confirmed on LinkedIn that CVE-2026-35273 is actively exploited and stated that Oracle released mitigations for the flaw. On Tuesday, BleepingComputer learned that Oracle PeopleSoft was targeted in a wave of data theft attacks that left ransom notes purportedly from the ShinyHunters extortion gang. ShinyHunters is a well-known threat actor that commonly breaches cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data. After gaining access to an instance, they will download the data and demand a ransom to prevent its public leak. The group has been linked to numerous high-profile attacks targeting SnowFlake, Salesforce, and third-party integration providers over the past year. ShinyHunters confirmed to BleepingComputer that they are behind these attacks, claiming to use a "gadget chain" of old and zero-day flaws to breach PeopleSoft instances. Using this flaw, the threat actor allegedly stole data from 300 instances for over 100 organizations. Cybersecurity researcher "Michael R" found several exposed online directories containing attack-related tooling and shared the following IP addresses used in the attacks. 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24 If you are running Oracle PeopleSoft, it is strongly advised that you analyze logs for any connections from the above IP addresses to determine whether you were targeted in these attacks. BleepingComputer has reached out to Oracle with questions regarding this vulnerability and the attacks, but has not received a response. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Oracle PeopleSoft servers hacked in ShinyHunters data theft attacksIvanti warns of new actively exploited MobileIron zero-day bugCheck Point links VPN zero-day attacks to Qilin ransomware gangCISA flags two-year-old Oracle flaw as actively exploited in attacksGoogle fixes one actively exploited Android zero-day, 124 flaws

Indicators of Compromise

  • cve — CVE-2026-35273
  • ip — 142.11.200.186
  • ip — 142.11.200.187
  • ip — 142.11.200.188
  • ip — 142.11.200.189
  • ip — 142.11.200.190
  • ip — 108.174.202.99
  • ip — 176.120.22.24

Entities

PeopleSoft PeopleTools (product)Oracle (vendor)ShinyHunters (threat_actor)ShinyHunter data theft attacks (campaign)Google Cloud (vendor)PeopleSoft Enterprise PeopleTools (product)