Oracle has issued an emergency mitigation for a critical zero-day vulnerability in its PeopleSoft Suite, tracked as CVE-2026-35273, which allows unauthenticated attackers to execute arbitrary code remotely. The flaw is being actively exploited by the ShinyHunters cybercriminal group in targeted data theft and extortion campaigns.
The Vulnerability
CVE-2026-35273 affects multiple PeopleSoft products and carries a critical severity rating. The flaw enables unauthenticated remote code execution — one of the most dangerous vulnerability classes — meaning attackers require no credentials or prior access to exploit it. Once exploited, threat actors gain the ability to execute commands on the underlying server, pivot into connected systems, and exfiltrate sensitive data at scale.
Oracle has confirmed active exploitation and pushed emergency mitigation guidance ahead of a formal patch release. Organizations running PeopleSoft HR, Finance, and Campus Solutions environments are considered at highest risk.
ShinyHunters Exploitation Campaign
The ShinyHunters extortion group — tracked by Mandiant as UNC6240 — has weaponized CVE-2026-35273 in an ongoing campaign targeting enterprise and education sector organizations. ShinyHunters is a prolific financially motivated threat actor known for large-scale data theft followed by ransom demands and public data auctions on cybercrime forums.
The group's PeopleSoft campaign follows a consistent pattern:
- Initial access via exploitation of CVE-2026-35273
- Data exfiltration of HR records, financial data, and student information
- Extortion — demands sent to victims threatening public data releases
- Auction — unclaimed stolen datasets sold on dark web marketplaces
Affected Products and Scope
Oracle PeopleSoft is widely deployed in higher education (student information systems), government agencies, and large enterprises for HR and ERP functions. The breadth of PeopleSoft installations makes this a high-value target for data thieves, as single instances often hold records for tens of thousands of individuals.
The university sector has been particularly hard-hit. PeopleSoft Campus Solutions is one of the most common student information system platforms at North American and European universities, making academic institutions a prime target for ShinyHunters' extortion playbook.
Oracle's Response
Oracle has released interim mitigation guidance for CVE-2026-35273, recommending that organizations:
- Apply network-level access controls to restrict PeopleSoft web interfaces to trusted networks
- Enable enhanced logging and monitor for anomalous authentication attempts
- Review user activity and data exports for signs of unauthorized exfiltration
- Prioritize the upcoming formal patch when released via Oracle's Critical Patch Update cycle
Organizations are advised not to wait for the next scheduled CPU release and to apply the interim mitigations immediately.
Recommendations
If your organization runs Oracle PeopleSoft, treat this as a priority incident:
- Audit exposure: Determine whether your PeopleSoft portals are accessible from the internet or only from internal networks
- Review logs: Look for unusual activity in your PeopleSoft application logs going back at least 90 days
- Apply mitigations: Follow Oracle's published guidance without delay
- Incident response: If you identify indicators of compromise, engage your IR team — ShinyHunters moves fast from initial access to exfiltration
This vulnerability underscores the ongoing risk posed by internet-exposed enterprise applications. Legacy ERP and HR platforms like PeopleSoft are frequently deprioritized for patching, making them attractive targets for threat actors who track unpatched enterprise software at scale.