A critical PeopleSoft flaw is already being exploited at scale

A former zero-day in Oracle's PeopleSoft software is being used in real-world attacks against a broad set of organizations, according to reporting from Ars Technica citing Google Mandiant and Oracle. The vulnerability, CVE-2026-35273, carries a severity rating of 9.8 out of 10 and is described as a server-side request forgery flaw that is remotely exploitable.

The timing is the most alarming part of the story. Mandiant says the ransomware-linked group ShinyHunters had been exploiting the flaw since May 27, more than two weeks before Oracle flagged it. Oracle has issued a stopgap mitigation but had not yet fully patched the vulnerability at the time of the report.

Who has been hit

Mandiant said the attackers targeted roughly 300 endpoints belonging to about 100 organizations. Around 68 percent of those organizations were in higher education. The University of Nottingham confirmed that it had suffered a hack that put a significant amount of student data in the hands of a threat actor, after ShinyHunters claimed the university as a victim and published gigabytes of data it said it had stolen.

Google also confirmed that victims are receiving extortion demands. That moves the incident from theoretical exposure into a live pressure campaign, with compromised organizations facing both operational risk and reputational damage.

Here’s everything new in iOS 27 and more, per Apple’s keynote list - 9to5Mac
More in News

La división de los modelos fundacionales de Apple apunta a una estrategia de IA híbrida

El texto fuente proporcionado de 9to5Mac sugiere que Apple está explicando nuevos modelos fundacionales entre la IA en el dispositivo y la IA en la nube, lo que apunta a una arquitectura híbrida en lugar de un enfoque de un solo modelo.

Read article

Why this bug is so dangerous

Oracle and Mandiant characterize the issue as an SSRF vulnerability. In practical terms, that means attackers can send requests from a vulnerable server toward internal systems used by the target organization. In enterprise software environments, that can turn one exposed service into a route for broader reconnaissance and follow-on access.

The reporting says analysis of a bash script left on a staging server showed the attackers performing reconnaissance on compromised organizations. That included mapping PeopleSoft configurations and viewing process scheduler and WebLogic server XML configurations. Those details matter because they suggest the attackers were not merely probing for proof of access. They were learning the internal shape of the victim environment.

Mandiant also said the attackers established an outbound SSH connection to an external IP address that hosted their staging infrastructure. That is consistent with a campaign designed to move quickly from access to extraction.

A partially redacted section of the ShinyHunters’ DLS. Credit: Mandiant
A partially redacted section of the ShinyHunters’ DLS. Credit: Mandiant

Why higher education dominates the victim list

The article says about 68 percent of affected organizations were in higher education. The supplied source does not explain why that sector is so heavily represented, but the pattern is still noteworthy. Universities often run large, decentralized IT estates and hold substantial volumes of personal, financial, and research-related data, which can make them attractive targets when a widely deployed enterprise platform is exposed.

What matters most for defenders is not the motive but the window. If exploitation began on May 27 and public notice came more than two weeks later, many organizations may have been operating under active compromise without realizing it.

Elon Musk with big green arrow pointing up and money falling from the sky.
More in News

SpaceX empieza a cotizar tras un IPO récord

SpaceX comenzó a cotizar en Nasdaq a 135 dólares por acción tras una histórica oferta pública inicial que buscaba recaudar 75.000 millones de dólares y valoraba a la empresa en unos 1,77 billones de dólares.

Read article

Mitigation is not the same as closure

Oracle's issuance of a stopgap mitigation is important, but it is not the same as a full fix. That distinction should drive incident response decisions. Organizations running exposed PeopleSoft deployments need to treat this as a potential breach scenario, not a routine patch cycle item.

The presence of extortion, published data, and evidence of hands-on activity raises the bar. In situations like this, teams need to assume that exploitation may already have occurred and investigate accordingly, especially if their environments were internet-facing during the reported window of abuse.

The broader lesson

The PeopleSoft case shows how quickly a high-severity enterprise software flaw can become an extortion event when attackers are already moving before disclosure. It also highlights a persistent problem in enterprise security: by the time some organizations learn a critical vulnerability exists, attackers may already have spent days or weeks inside comparable environments.

For affected institutions, the immediate question is containment. For the rest of the market, the lesson is sharper: a 9.8-rated flaw in core business software is not just a patching issue when active exploitation, data theft, and pressure tactics are already underway.

  • CVE-2026-35273 is a remotely exploitable PeopleSoft SSRF flaw rated 9.8.
  • Mandiant says ShinyHunters exploited it from May 27, before Oracle disclosed it.
  • About 100 organizations and roughly 300 endpoints were reportedly targeted.
  • Oracle issued a mitigation, but a full patch had not yet arrived at the time of reporting.

This article is based on reporting by Ars Technica. Read the original article.

Art depicts Jeff Bezos surrounded by bright colors.
More in News

Prometheus apunta a herramientas de IA para el diseño de ingeniería

Jeff Bezos dice que su startup Prometheus quiere construir herramientas de ingeniería impulsadas por IA para campos como la robótica, el diseño de fármacos y la fabricación.

Read article

Originally published on arstechnica.com