CVE-2026-35273 PeopleSoft – Oracle has issued emergency mitigations for a critical PeopleSoft PeopleTools zero-day, CVE-2026-35273, tied to unauthorized remote code execution. The flaw is confirmed to affect PeopleTools 8.61 and 8.62 and is being exploited in data theft attacks linked to
By the time many security teams notice strange activity, the clock has already run out. In this case, Oracle says the danger is immediate: a PeopleSoft zero-day tracked as CVE-2026-35273 that can be triggered remotely without authentication, and is actively being used in data theft attacks.
Oracle’s advisory warns that the vulnerability exists in Oracle PeopleSoft PeopleTools and carries a CVSS base score of 9.8. “This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,” the company wrote. Oracle adds that the flaw is “remotely exploitable without authentication” and, if exploited, “may result in remote code execution.”.
The affected products are PeopleTools versions 8.61 and 8.62. Oracle confirmed it has released emergency mitigations and says a patch is coming soon.
The zero-day was exploited in ShinyHunters data theft attacks
Oracle’s disclosure arrives after PeopleSoft instances were hit in a wave of data theft attacks attributed to the ShinyHunters extortion gang. While Oracle had not stated that the vulnerability was under active exploitation. the timing of the announcement—and the matching details emerging around the intrusion reports—point to the same mechanism.
BleepingComputer previously reported that ShinyHunters was exploiting a PeopleSoft zero-day vulnerability to breach instances and steal data. Later, it learned that CVE-2026-35273 is the specific zero-day being used.
Charles Carmakal, CTO at Mandiant – Google Cloud, also confirmed on LinkedIn that CVE-2026-35273 is actively exploited, and stated that Oracle released mitigations for the flaw.
For ShinyHunters, the pattern is familiar. The threat actor is known for breaching cloud SaaS instances, CRMs, and enterprise platforms that store large volumes of corporate data. After gaining access, the group allegedly downloads the data and demands ransom to prevent public release.
BleepingComputer learned on Tuesday that Oracle PeopleSoft was targeted in these data theft attacks, with ransom notes “purportedly from the ShinyHunters extortion gang” left behind after intrusions.
ShinyHunters claims responsibility and outlines its approach
ShinyHunters confirmed to BleepingComputer that it is behind the attacks. The group claims it used a “gadget chain” made from older and zero-day flaws to breach PeopleSoft instances.
In the reporting, the scale is stark: the threat actor allegedly stole data from 300 instances for over 100 organizations.
The group has also been linked to high-profile attacks over the past year involving SnowFlake, Salesforce, and third-party integration providers.
Where defenders can look: exposed IP addresses
Separately, cybersecurity researcher “Michael R” identified exposed online directories containing attack-related tooling and shared the following IP addresses believed to have been used in the attacks:
142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24
If you run Oracle PeopleSoft, the practical advice coming out of this incident is direct: analyze logs for any connections from those IP addresses to determine whether your environment was targeted.
BleepingComputer reached out to Oracle with questions about the vulnerability and the attacks, but received no response.
At this moment, the key point is clear even without extra speculation: Oracle says a high-severity remote code execution flaw in PeopleTools is out there, and the same flaw is tied to an extortion campaign that already left ransom notes behind.
Oracle PeopleSoft CVE-2026-35273 PeopleTools 8.61 PeopleTools 8.62 zero-day remote code execution ShinyHunters data theft ransomware cybersecurity
So they’re saying PeopleSoft is basically hackable with no login? Cool cool.
PeopleSoft patch?? This is why my cousin says all corporate software is just open doors. I don’t even know what CVE-2026-35273 is but the number alone sounds scary.
Wait, if it’s remote code execution then it’s like they can just run stuff on the server right? Also I saw “ShinyHunters” and I swear that sounds like a video game group not a ransomware gang. But yeah, patch coming soon means people probably already got hit.
I don’t trust this. Oracle says mitigations now and patch soon but meanwhile they’re saying it’s being exploited for data theft, like what do you even do besides delete the whole system. Also CVSS 9.8 like that’s basically a 10 so why didn’t they catch it earlier??