**Oracle** has issued a security alert regarding a critical zero-day vulnerability, tracked as **CVE-2026-35273**, affecting its **PeopleSoft Suite**. The flaw, residing within **Oracle PeopleSoft PeopleTools**, boasts a **CVSS base score of 9.8** and enables unauthenticated remote code execution. Disturbingly, the vulnerability is confirmed to be actively exploited in the wild by the notorious **ShinyHunters** group in data theft campaigns. "This Security Alert addresses vulnerability **CVE-2026-35273** in **Oracle PeopleSoft PeopleTools**. **Oracle PeopleSoft Enterprise Applications** customers may also be affected by this vulnerability," states a recent advisory from Oracle. The company further warns, "This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution." **Oracle** has confirmed that the zero-day impacts **PeopleSoft Enterprise PeopleTools**, specifically versions 8.61 and 8.62. Emergency mitigations have been released, with a full patch anticipated soon. ## Zero-Day Exploited in ShinyHunters Data Theft Attacks While **Oracle** initially did not explicitly state active exploitation, the disclosure follows reports of the **ShinyHunters** extortion gang leveraging a **PeopleSoft** zero-day to breach instances and exfiltrate data. It has since been confirmed that **CVE-2026-35273** is the vulnerability being exploited in these attacks. **ShinyHunters** is a well-known threat actor specializing in breaching cloud SaaS instances, CRMs, and enterprise platforms to steal large volumes of corporate data. After gaining access, the group typically downloads the data and demands a ransom to prevent its public release. The group has been linked to high-profile attacks targeting **Snowflake**, **Salesforce**, and various third-party integration providers. **ShinyHunters** confirmed their involvement, claiming to use a "gadget chain" of both old and zero-day flaws to compromise **PeopleSoft** instances. The threat actor alleges to have stolen data from approximately 300 instances belonging to over 100 organizations. Cybersecurity researchers identified several exposed online directories containing attack-related tooling. The following IP addresses were associated with the attacks: ## Targeting the Education Sector **Mandiant** released a report confirming the exploitation of **CVE-2026-35273** as a zero-day, with a significant focus on organizations within the education sector. "Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints," **Mandiant** reported. "Most of these organizations were based in the United States, and 68 percent operated within the higher education sector." **Mandiant's** report provided further technical details, noting that threat actors used exposed staging servers to host HTTP services and deployed custom **MeshCentral** remote management agents. These agents communicated with attacker-controlled infrastructure, which was disguised as **Microsoft Azure** services. The researchers observed the threat actors conducting reconnaissance on compromised instances, mapping **PeopleSoft** and **WebLogic** configurations, and using scripts for lateral movement across internal systems with stolen or hardcoded credentials. **Mandiant** also noted that exfiltrated data was compressed and ultimately connected to a server at `176.120.22.24`, a known IP associated with the public **ShinyHunters** data leak site, thereby reinforcing the link to the extortion group. As part of its guidance, **Mandiant** advises organizations to restrict access to vulnerable **PeopleSoft** endpoints, review logs for suspicious requests targeting `/PSEMHUB/` and `/PSIGW/HttpListeningConnector`, and inspect servers for signs of compromise, including: * Unexpected `.jsp` webshell files in **WebLogic** application directories * Unauthorized files or binaries staged in **PSEMHUB** transaction folders * Suspicious directories such as logs, persistantstorage, or scratchpad * Recently modified XML files that could be used for persistence or to trigger remote code execution after a restart **ShinyHunters** has a recent history of targeting the education sector, including a significant cyberattack on **Instructure Canvas** that led to the theft of 280 million records. **Instructure** subsequently paid a ransom to prevent the data leak.