The ShinyHunters ransomware group exploited a critical zero-day vulnerability in Oracle’s PeopleSoft software to target approximately 100 organizations. The attackers stole gigabytes of data and are currently issuing extortion demands to victims. Oracle has released a temporary mitigation, but the company has yet to provide a full patch for the security flaw.
Key details
- The vulnerability, tracked as CVE-2026-35273, carries a critical severity rating of 9.8 out of 10.
- It is a server-side request forgery (SSRF) that allows remote attackers to send requests from a vulnerable server to other internal systems.
- ShinyHunters exploited the vulnerability for over two weeks before Oracle officially flagged the issue.
- Google’s Mandiant team confirmed that victims are receiving demands for payment, with at least one organization already paying a ransom.
Why it matters
This exploit targets the administrative core of large institutions, where sensitive payroll, financial, and personnel records reside. Because PeopleSoft is a central hub for enterprise data, the SSRF flaw allows attackers to move laterally through internal networks that are usually walled off from the public internet. The delay between initial exploitation and Oracle’s response gave ShinyHunters a significant window to exfiltrate data from high-value targets in the education and corporate sectors. Organizations must implement the stopgap mitigation to defend against ongoing extortion attempts while waiting for a permanent fix from Oracle.
Read the full story at Ars Technica
Leave a Reply