ShinyHunters exploit PeopleSoft 0-day, steal gigabytes of data from hundreds of organizations

One of the world’s most active ransomware groups exploited a critical vulnerability in Oracle’s PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said. The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle flagged it. CVE-2026-35273, as the vulnerability is tracked, carries a severity rating of 9.8 out of 10, making the former zero-day one of the year’s most critical vulnerabilities to be exploited.

Google’s Mandiant security team said it’s an SSRF (server-side request forgery), a vulnerability that allows attackers to send requests from a susceptible server to systems used by the targeted organization. Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands.

Why this matters: The exploitation of the PeopleSoft vulnerability by ShinyHunters highlights the ongoing threat of ransomware attacks on enterprise software systems. With hundreds of organizations potentially affected, this incident underscores the importance of prompt patching and mitigation of critical vulnerabilities. Developers and businesses using PeopleSoft must take immediate action to protect their systems, while consumers should be aware of the potential risks of data breaches.

The fact that ShinyHunters was able to exploit this vulnerability for over two weeks before Oracle's intervention raises questions about the company's vulnerability management processes. As the threat of ransomware continues to evolve, it remains to be seen how Oracle will address the vulnerability and prevent similar incidents in the future.