PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

arstechnica.com ∙ Friday, June 12, 2026

PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

Top line

ShinyHunters is exploiting a critical PeopleSoft zero-day to target 100 organizations, primarily in higher education, resulting in large-scale data theft.

Summary

A critical 9.8-rated zero-day vulnerability in Oracle's PeopleSoft suite, identified as CVE-2026-35273, has been actively exploited by the ransomware group ShinyHunters since May 27, 2026. The vulnerability, an SSRF flaw, has allowed the group to compromise approximately 100 organizations, predominantly in the higher education sector, including the University of Nottingham. Attackers utilized the flaw to map internal system configurations and exfiltrate large volumes of data for extortion purposes. While Oracle has provided stopgap mitigations, a full patch remains pending, and security firms Mandiant and Rapid7 are currently working to support affected entities with indicators of compromise.

Highlights

The ransomware group ShinyHunters has been exploiting a critical server-side request forgery (SSRF) vulnerability in Oracle’s PeopleSoft software, tracked as CVE-2026-35273.
The vulnerability, rated 9.8 out of 10 for severity, allowed attackers to send requests from targeted servers to internal systems.
ShinyHunters exploited this zero-day for approximately two weeks prior to Oracle’s awareness and initial mitigation measures; a full patch is pending.
The campaign targeted around 100 organizations, with 68 percent of these entities operating within the higher education sector.
The University of Nottingham has confirmed it was a victim, with the threat group claiming to have stolen gigabytes of data.
Attackers used a staging server to map PeopleSoft configurations and established outbound SSH connections to exfiltrate compressed data via the zstd tool.
ShinyHunters has been active since 2019, previously breaching organizations including Ticketmaster, Santander, and Salesforce.
Mandiant and Rapid7 are providing indicators of compromise and advising affected customers on remediation steps.

arstechnica.com ∙ Friday, June 12, 2026

Top line

ShinyHunters is exploiting a critical PeopleSoft zero-day to target 100 organizations, primarily in higher education, resulting in large-scale data theft.

Summary

Highlights

The ransomware group ShinyHunters has been exploiting a critical server-side request forgery (SSRF) vulnerability in Oracle’s PeopleSoft software, tracked as CVE-2026-35273.
The vulnerability, rated 9.8 out of 10 for severity, allowed attackers to send requests from targeted servers to internal systems.
ShinyHunters exploited this zero-day for approximately two weeks prior to Oracle’s awareness and initial mitigation measures; a full patch is pending.
The campaign targeted around 100 organizations, with 68 percent of these entities operating within the higher education sector.
The University of Nottingham has confirmed it was a victim, with the threat group claiming to have stolen gigabytes of data.
Attackers used a staging server to map PeopleSoft configurations and established outbound SSH connections to exfiltrate compressed data via the zstd tool.
ShinyHunters has been active since 2019, previously breaching organizations including Ticketmaster, Santander, and Salesforce.
Mandiant and Rapid7 are providing indicators of compromise and advising affected customers on remediation steps.