Skip to content

Oracle PeopleSoft Zero-Day Exploited in 100+ Breaches

Tech Times · Story 2 of 5

A critical zero-day vulnerability in Oracle PeopleSoft has led to over 100 data breaches globally, with attackers exploiting the flaw for two full weeks before Oracle issued a patch. The vulnerability, CVE-2026-35273, carries a CVSS severity score of 9.8 out of 10 and resides in the PeopleTools Environment Management Hub component. What makes this attack particularly dangerous is that it requires no authentication – attackers with network access to vulnerable endpoints can execute arbitrary code on PeopleSoft servers. The ShinyHunters group (tracked as UNC6240) claimed responsibility, using a 'gadget chain' technique that combined the zero-day with older known vulnerabilities. The impact has been severe, affecting universities, hospital systems, and government agencies worldwide. Organizations that failed to patch by CISA's June 15 deadline face ongoing security risks.

Analysis
Live

This incident should be a wake-up call for MENA organizations using Oracle PeopleSoft, especially in Egypt's education sector where multiple universities were affected. The attack highlights the dangerous gap between vulnerability discovery and patch availability, something regional CISOs need to address proactively. For builders, this means designing systems with zero-trust architectures and considering open-source alternatives to avoid single-vendor lock-in in critical infrastructure.

Frequently Asked Questions
How can organizations protect against similar attacks?

Implement zero-trust architecture, network segmentation, and prioritize patching for critical systems.