Published Friday, June 12, 2026 at 03:57 AM PT

BREAKING ALERT — ORACLE PEOPLESOFT ZERO-DAY ACTIVELY EXPLOITED BY SHINY HUNTERS | CVE-2026-35273

BLUF: Google has confirmed active in-the-wild exploitation of a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) by threat actor ShinyHunters. Oracle has mitigated the flaw but has not publicly confirmed exploitation. Organizations running PeopleSoft should treat this as an emergency patching priority.

DETAILS

  • CVE-2026-35273 affects Oracle PeopleSoft; specific technical details of the vulnerability class (e.g., RCE, authentication bypass) have not been publicly confirmed at this time.
  • Google — attribution source not yet specified (Threat Intelligence, Mandiant, or Project Zero — unconfirmed which team) — has confirmed the vulnerability was exploited in the wild prior to patching.
  • ShinyHunters is the attributed threat actor. The group has a documented history of large-scale data theft and extortion operations, including credential harvesting and database exfiltration.
  • Oracle has deployed a mitigation for CVE-2026-35273 but has not issued a public advisory confirming exploitation as of this alert. The gap between vendor and third-party confirmation is notable and should be monitored.
  • Patch availability status beyond Oracle’s mitigation action is not yet confirmed — it is unclear whether a full patch is available or if workarounds are the current remediation path.

IMPACT

  • Directly affected: Organizations running Oracle PeopleSoft — commonly deployed in higher education, government, and large enterprise environments for HR, finance, and student administration.
  • Scope: Potentially broad. PeopleSoft deployments frequently contain sensitive PII, payroll, financial, and HR data — consistent with ShinyHunters’ historical targeting profile.
  • Data exfiltration risk is elevated given ShinyHunters’ operational pattern of bulk data theft for sale or extortion.
  1. Apply Oracle’s mitigation immediately. Do not wait for a full patch release. Contact Oracle support for guidance specific to your deployment version.
  2. Audit PeopleSoft access logs for anomalous authentication attempts, unusual API calls, or unexpected data exports — particularly over the past 30–60 days.
  3. Restrict external-facing PeopleSoft access where operationally feasible pending full remediation.
  4. Monitor Oracle’s security advisory portal for a formal CVE disclosure and patch release.
  5. Brief incident response teams now. If ShinyHunters has already accessed your environment, early detection is critical to limiting exfiltration scope.

SOURCES

  • SecurityWeek — “Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters”
  • Oracle mitigation action: confirmed via SecurityWeek reporting; no independent Oracle advisory confirmed at time of publication.

⚠️ UNCERTAINTY FLAG: Oracle has not publicly confirmed exploitation. Vulnerability technical class, affected version range, and Google attribution team are unconfirmed. This alert will require update as details emerge.