THE CIRCUITRYYour one-stop source for all tech news

Home/Tech/Oracle Mitigates PeopleSoft Zero-Day in ShinyHunter Attacks

VERIFIEDBy Xavier Rivera· ·2 min read

Oracle Mitigates PeopleSoft Zero-Day in ShinyHunter Attacks

Oracle released emergency mitigations for CVE-2026-35273, a critical unauthenticated remote code execution zero-day in PeopleSoft PeopleTools 8.61 and 8.62 that ShinyHunters exploited to steal data from 300 instances across more than 100 organizations. The flaw carries a 9.8 CVSS score and highlights ongoing risks to enterprise platforms hosting sensitive corporate data.

Source:BleepingComputer

Post

Oracle Mitigates PeopleSoft Zero-Day in ShinyHunter Attacks

TL;DRAI · 60 sec read

Developing storymonitoring for updates

This story is still unfolding. Confirmed developments will appear here.

Oracle has issued an emergency mitigation for a critical zero-day vulnerability in its PeopleSoft Suite that is actively exploited in data theft attacks by the ShinyHunters extortion gang.

Oracle discloses CVE-2026-35273 with a 9.8 CVSS score. The flaw resides in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 and allows unauthenticated remote code execution. Oracle's advisory states the vulnerability is remotely exploitable without authentication and, if successfully exploited, may result in remote code execution.

ShinyHunters used the zero-day to breach over 100 organizations.

The company confirmed that Oracle PeopleSoft Enterprise Applications customers may also be affected. Oracle has released emergency mitigations and said a patch is coming soon.

https://x.com/nahamike01/status/2064529246178210220

ShinyHunters used the zero-day to breach over 100 organizations. BleepingComputer first reported that the gang was exploiting a PeopleSoft zero-day to steal data, and has since confirmed that CVE-2026-35273 is the flaw involved. The group left ransom notes on compromised instances and claimed to use a gadget chain of old and zero-day flaws.

From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

ShinyHunters allegedly stole data from 300 instances belonging to more than 100 organizations. The gang is known for targeting cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data, then demanding ransom to prevent public leaks. It has previously been linked to high-profile attacks on Snowflake, Salesforce, and third-party integration providers over the past year.

The group left ransom notes on compromised instances and claimed to use a gadget chain of old and zero-day flaws.

Mandiant confirms active exploitation and Oracle's response. Charles Carmakal, CTO at Mandiant - Google Cloud, confirmed on LinkedIn that CVE-2026-35273 is actively exploited and that Oracle has released mitigations. Cybersecurity researcher "Michael R" identified exposed online directories with attack-related tooling and listed IP addresses used in the attacks.

The IP addresses are 142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, 142.11.200.190, 108.174.202.99, and 176.120.22.24. Oracle has not directly stated that the vulnerability is actively exploited in its advisory. BleepingComputer reached out to Oracle for comment but has not received a response.

Organizations running PeopleSoft are urged to check logs immediately. Administrators are strongly advised to analyze logs for connections from the listed IP addresses to determine if they were targeted. The disclosure arrives on the same day as Oracle's advisory, June 11, 2026.

EXPERT TAKE

Enterprise security teams should treat this as an immediate patching priority and scan logs for the listed IPs, as the gap between zero-day disclosure and widespread exploitation continues to shrink for legacy enterprise suites.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported

DonateBuy me a coffee →Follow@thecircuitry_ →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee

Oracle Zero-Day Security

MORE IN TECH

Waymo launches $29.99 Premier membership

Waymo launched its first membership program, Waymo Premier, an invite-only $29.99 monthly tier offering priority pickups, 10% cash back, early city access and free cancellations. The move seeks to build loyalty as the robotaxi service scales toward 1 million weekly rides and enters more than 20 cities.

Microsoft Edge shifts to two-week release cycle

Microsoft Edge is adopting a two-week release cycle for its Stable channel beginning with version 152 on August 27, while Extended Stable remains on an eight-week schedule. The shift delivers smaller, more frequent updates and faster security improvements to help organizations validate changes more easily.

South Korea fines Coupang record $409M over data breach

South Korea's PIPC fined Coupang a record 624.6 billion won ($409 million) after a breach exposed personal data of over 37 million customers due to security failures and other violations. The penalty, paired with a company compensation plan exceeding $1.17 billion, highlights escalating regulatory pressure on major tech platforms handling consumer data.