Oracle PeopleSoft Zero-Day CVE-2026-35273 Actively Exploited in Data Theft Attacks

Oracle has disclosed a critical zero-day in PeopleSoft Suite — CVE-2026-35273 — enabling unauthenticated remote code execution, and the ShinyHunters threat group is already exploiting it in live data theft campaigns. Oracle has issued a mitigation, not yet a full patch. If your organization runs PeopleSoft, this is not a "patch at next maintenance window" situation.

What Happened

According to BleepingComputer, CVE-2026-35273 is a critical flaw in Oracle's PeopleSoft Suite — the enterprise platform widely used for HR, payroll, finance, and student administration. The vulnerability allows an unauthenticated attacker with network access to the PeopleSoft web tier to execute arbitrary code. No credentials required.

ShinyHunters, a prolific financially motivated threat group, is actively exploiting the flaw in data theft operations. Oracle has pushed a mitigation and is expected to follow with a formal patch, but the exploitation window is open right now.

Why It Matters

PeopleSoft deployments are high-value targets by definition. They hold the data extortion groups prize most: employee PII, payroll and banking details, financial ledgers, and in higher-education environments, full student records covered by FERPA.

The unauthenticated qualifier is the critical word here. Attackers need no insider knowledge, stolen credentials, or phishing chain — just network reachability to the web tier. Any PeopleSoft instance exposed to the internet is effectively pre-compromised until the mitigation is applied.

ShinyHunters' involvement is not incidental. This group has a well-documented playbook: gain initial access, exfiltrate data at scale, then pressure victims with threatened public release or sale. Active exploitation confirms attacks are happening now, not in proof-of-concept.

What to Do

1. Apply Oracle's mitigation immediately. Pull the guidance from your Oracle support portal. Do not defer to the next scheduled maintenance cycle. The mitigation exists specifically because a full patch isn't yet available.

2. Cut external exposure now. If your PeopleSoft web tier is internet-reachable, place it behind a VPN or WAF as an additional layer while you work through the mitigation steps. This is a compensating control, not a substitute.

3. Hunt for existing compromise. Review PeopleSoft web server and application server logs for anomalous process execution, unexpected outbound connections, or unusual activity from PeopleSoft service accounts. Assume you may already be in the exploitation window and look for evidence before concluding you're clean.

4. Brief legal and compliance now. If your deployment holds PII, financial records, or student data, your incident response and legal teams need to be read in before you know whether you've been hit. Notification obligations under GDPR, CCPA, and FERPA are time-sensitive and don't wait for confirmed breach determination.

5. Watch Oracle's advisory channel. Subscribe to Oracle Security Alerts for the formal patch the moment it ships. The mitigation buys time — the patch closes the door.

An actively exploited, unauthenticated RCE against enterprise systems holding payroll and HR data is the highest tier of urgency. Treat any exposed PeopleSoft instance as a live incident until the mitigation is confirmed in place and your logs are clean.