Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert
A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools is being exploited in the wild, Charles Carmakal, CTO at cybersecurity firm Mandiant, part of Google Cloud, warned today.
The warning comes a day after Oracle published an out-of-band security alert about the flaw, which is remotely exploitable without authentication, may result in remote code execution, and affects PeopleSoft PeopleTools versions 8.61 and 8.62 (and possibly earlier, unsupported ones as well).
Oracle credited researchers with TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability.
The security alert links to a “patch availability document”, but it is unclear whether a patch is currently available, as the document is accessible only to customers with a support account.
Help Net Security has reached out to Oracle for confirmation on whether CVE-2026-35273 is being actively exploited, but we’ve yet to receive a reply.
ShinyHunters targeting PeopleSoft instances
Oracle’s alert was published on the same day that Bleeping Computer reported ShinyHunters’ claims that they’ve been breaching Oracle PeopleSoft servers and have stolen data from 100+ organizations.
According to the extortion group’s claims, the targeted organizations are mostly educational institutions, and their PeopleSoft instances – whether on-premises or in the cloud – were breached “using a ‘gadget chain’ of old and zero-day vulnerabilities.”
Among the victims is apparently the University of Nottingham, which confirmed it has suffered a cybersecurity incident and that it has notified affected students and alumni directly.
ShinyHunters claimed that breach and leaked tens of gigabytes of stolen data, including personal data and academic records of nearly half a million current and former students.
A threat researcher seemingly confirmed ShinyHunters’ ongoing targeting of PeopleSoft instances, after discovering exposed directories containing tools used in these attacks.
“At the /pay_or_leak endpoint, is stolen data from 20+ organizations, many named and others from 02 Jun and 04 Jun not yet named. Inside the same bash history log is a purpose-built shell script (uon_fanout.sh) which spreads defacement markers across PeopleSoft infrastructure,” the researcher noted.
“The code shows the attackers are very familiar with PeopleSoft; extracting creds from psappsrv.cfg (app server config), mapping all connected nodes, and identifying web/app/batch tiers.”
The researcher also posted a list of IPs and domains related to the attacks, which can be used by PeopleSoft admins and defenders to check for signs of compromise.