Critical Oracle PeopleSoft Zero-Day Exploited by ShinyHunters: Over 100 Organizations at Risk

Summary

Oracle Corporation has issued an urgent advisory regarding a critical vulnerability in its PeopleSoft Enterprise PeopleTools product (CVE-2026-35273). This flaw allows unauthenticated attackers to execute remote code, posing significant risks to confidentiality, integrity, and availability. The ShinyHunters group is reportedly exploiting this zero-day vulnerability to steal data from hundreds of instances across various organizations.

What Happened

Oracle's PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 are vulnerable to a critical flaw that enables unauthenticated remote code execution. This vulnerability, identified as CVE-2026-35273, has been actively exploited by the ShinyHunters group in data theft attacks. The attackers reportedly used a combination of old vulnerabilities and this zero-day flaw to breach PeopleSoft instances.

How the Attack Works

The attack vector involves exploiting the unauthenticated remote code execution vulnerability within Oracle's PeopleSoft Enterprise PeopleTools. By leveraging this flaw, attackers can gain unauthorized access to systems without needing valid credentials. Once inside, they can execute arbitrary commands, leading to potential data theft and system compromise.

Affected Products and Fixed Versions

The critical vulnerability affects specific versions of Oracle's PeopleSoft Enterprise PeopleTools:

• Affected Versions: 8.61, 8.62
• Mitigations Released: Yes
• Patch Status: Pending

Organizations using these versions should prioritize implementing the recommended mitigations to reduce risk exposure.

Exploitation Status

The ShinyHunters group has confirmed exploiting this vulnerability in attacks targeting over 300 PeopleSoft instances across more than 100 organizations. While Oracle has not officially confirmed zero-day exploitation, multiple sources, including BleepingComputer and Mandiant's CTO Charles Carmakal, have acknowledged active exploitation.

Indicators of Compromise

Organizations running affected versions should monitor for connections from the following IP addresses associated with ShinyHunters' activities:

• 142.11.200.186
• 142.11.200.187
• 142.11.200.188
• 142.11.200.189
• 142.11.200.190
• 108.174.202.99
• 176.120.22.24

Detection Opportunities

Security teams should analyze logs for any connections from the above IP addresses to detect potential breaches. Additionally, implementing breach and attack simulation tests can help identify weaknesses in SIEM and EDR rules that might allow such threats to go undetected.

Why This Matters for Defenders

The exploitation of CVE-2026-35273 underscores the importance of timely vulnerability management and threat monitoring. Organizations must act swiftly to implement mitigations and prepare for patches, as delays can lead to significant data breaches and operational disruptions.

Defender Guidance

1. Implement Mitigations: Apply Oracle's recommended mitigations immediately to reduce risk exposure.
2. Monitor Logs: Analyze logs for connections from the specified IP addresses associated with ShinyHunters.
3. Prepare for Patching: Stay informed about the release of a patch and plan for its deployment as soon as it becomes available.
4. Conduct Simulations: Use breach and attack simulation tools to test your defenses against similar vulnerabilities.

What Remains Unclear

• The full technical details of how the vulnerability is exploited remain undisclosed.
• Oracle has not confirmed whether CVE-2026-35273 has been exploited in the wild as a zero-day, despite reports from multiple sources.