Oracle PeopleSoft Zero-Day Actively Exploited by ShinyHunters
Oracle released an out-of-band security alert on June 10 for CVE-2026-35273, a critical unauthenticated server-side request forgery to remote code execution (SSRF-to-RCE) vulnerability in PeopleSoft Enterprise PeopleTools. The flaw carries a CVSS score of 9.8 and affects PeopleTools versions 8.61 and 8.62, allowing attackers to gain full control of vulnerable systems without any credentials.
CISA subsequently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. Google's threat analysis confirmed that the ShinyHunters hacking group has been exploiting the zero-day to exfiltrate data from target organizations. ShinyHunters is the same group previously linked to major breaches including the massive Ticketmaster and Santander data thefts.
The vulnerability is particularly dangerous because it requires no authentication — attackers can send crafted HTTP requests directly to exposed PeopleSoft instances and escalate to full system compromise. Organizations running PeopleSoft for HR, finance, or student information systems are at significant risk if the patch has not been applied.
PeopleSoft runs critical HR and finance systems across MENA governments and universities, and patching cycles here are notoriously slow. If you're running PeopleTools 8.61 or 8.62 and haven't applied this patch yet, you're already late — ShinyHunters doesn't wait for quarterly maintenance windows.
What should organizations do about CVE-2026-35273?
Apply Oracle's out-of-band patch immediately if running PeopleSoft PeopleTools 8.61 or 8.62. CISA has confirmed active exploitation by ShinyHunters, making this an urgent priority.