Skip to content

Oracle Addresses Critical PeopleSoft Zero-Day Exploit Used in ShinyHunters Data Theft Attacks

Oracle has released emergency mitigations to address a critical zero-day vulnerability in its PeopleSoft Suite, which was exploited by the ShinyHunters extortion gang in data theft attacks.

The flaw, tracked as CVE-2026-35273, allows unauthenticated remote code execution and has a CVSS base score of 9.8. The vulnerability is within Oracle PeopleSoft PeopleTools and affects versions 8.61 and 8.62.

While Oracle has not stated that the vulnerability was actively exploited, its disclosure comes after BleepingComputer first reported that ShinyHunters was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data.

ShinyHunters is a well-known threat actor that commonly breaches cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data. After gaining access to an instance, they will download the data and demand a ransom to prevent its public leak. The group has been linked to numerous high-profile attacks targeting SnowFlake, Salesforce, and third-party integration providers over the past year.

According to Oracle’s advisory, the vulnerability is remotely exploitable without authentication and may result in remote code execution if successfully exploited. The company has released emergency mitigations to address the flaw, with a patch coming soon.

If you are running Oracle PeopleSoft, it is strongly advised that you analyze logs for any connections from the IP addresses used in the attacks to determine whether you were targeted in these attacks. BleepingComputer has reached out to Oracle with questions regarding this vulnerability and the attacks, but has not received a response.

The ShinyHunters extortion gang claimed to use a ‘gadget chain’ of old and zero-day flaws to breach PeopleSoft instances, allegedly stealing data from 300 instances for over 100 organizations. Cybersecurity researcher ‘Michael R’ found several exposed online directories containing attack-related tooling and shared the following IP addresses used in the attacks.

### Affected Software Versions

Oracle PeopleSoft Enterprise Applications versions 8.61 and 8.62 are affected by this vulnerability.

### Mitigation and Patch Information

Oracle has released emergency mitigations to address the flaw, with a patch coming soon. It is recommended that you analyze logs for any connections from the IP addresses used in the attacks to determine whether you were targeted in these attacks.

### Related Threat Actor Activity

ShinyHunters is a well-known threat actor that commonly breaches cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data. After gaining access to an instance, they will download the data and demand a ransom to prevent its public leak. The group has been linked to numerous high-profile attacks targeting SnowFlake, Salesforce, and third-party integration providers over the past year.

### Conclusion

The critical zero-day exploit in PeopleSoft Suite highlights the importance of timely patching and vulnerability management. It is essential for organizations to stay up-to-date with the latest security advisories and patches to prevent similar attacks in the future.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *