- ShinyHunters likely behind the CVE-2026-35273 attack on Oracle's PeopleSoft
- Versions 8.61 and 8.62 affected, users urged to take "immediate action"
- Google's Mandiant informed over 100 organizations
Oracle PeopleSoft servers, used by universities, businesses and public sector organizations, are being targeted in a new attack by extortion group ShinyHunters, researchers have revealed.
The attackers claim to have compromised more than 100 organizations, and exfiltrated data from around 300 PeopleSoft instances, by exploiting a vulnerability tracked as CVE-2026-35273.
Victims have reportedly received demands signed by ShinyHunters threatening to release stolen data, unless a ransom is paid, with another researcher adding that it could be "a group impersonating them," implying the group has not yet taken accountability for the attacks.
Oracle PeopleSoft customers vulnerable to attacks and ransom demands
"This vulnerability is remotely exploitable without authentication," Oracle added in a June 10 security advisory. "If successfully exploited, this vulnerability may result in remote code execution."
Separately, researchers from Google's Mandiant they were tracking the "critical remote code execution vulnerability", rated a CVSS 9.8 score, between May 27 and June 9 2026. "Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day," the researchers added.
Oracle is urging users to take "immediate action" to apply the patch, which fixes versions 8.61 and 8.62.
Besides Oracle's advisory, Google says it alerted over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Two-thirds (68%) of them were higher education institutions, and most of the victims were also based in the US.
Mandiant urges users to check logs for suspicious access between late May and early June, and to apply Oracle's security update regardless of whether or not they've been attacked.
Via BleepingComputer
