PeopleSoft Software Vulnerability Allows Remote Code Execution
- Oracle issued a security alert on June 10, 2026, regarding a critical vulnerability (CVE-2026-35273) in PeopleSoft PeopleTools that allows unauthenticated remote code execution.
- The vulnerability, identified as CVE-2026-35273, exists in Oracle PeopleSoft PeopleTools and affects Oracle PeopleSoft Enterprise Applications.
- Oracle described the implementation of recommended mitigations as a high-priority risk reduction measure.
Oracle issued a security alert on June 10, 2026, regarding a critical vulnerability (CVE-2026-35273) in PeopleSoft PeopleTools that allows unauthenticated remote code execution. Mandiant and Google Threat Intelligence Group (GTIG) reported an active extortion campaign targeting over 100 organizations, with 68% of victims in the U.S. higher education sector.
What is the Oracle PeopleSoft vulnerability?
The vulnerability, identified as CVE-2026-35273, exists in Oracle PeopleSoft PeopleTools and affects Oracle PeopleSoft Enterprise Applications. According to the June 10 security alert, the flaw is remotely exploitable without authentication, meaning attackers can execute code on a target system without needing valid login credentials.
Oracle described the implementation of recommended mitigations as a high-priority risk reduction measure. The company urged customers to remain on actively supported software versions and apply all Critical Patch Updates and Security Alerts without delay.
The company’s warning came as hackers were already utilizing the exploit. While Oracle focused on the technical mitigation, Mandiant and GTIG reported that the vulnerability had already been weaponized for financial gain.
Which organizations are affected by the breach?
Mandiant and GTIG detailed an active compromise and extortion campaign in a blog post published June 11, 2026. The two firms notified more than 100 global organizations that were potentially vulnerable to the exploit.
The impact was concentrated in the United States. According to Mandiant and GTIG, 68% of the affected organizations were within the higher education sector.
TechCrunch reported on June 11 that the hacking group involved claimed to have breached more than 100 organizations utilizing PeopleSoft servers.
What data was stolen in the attacks?
Evidence of the breach appeared before Oracle’s security alert. Mandiant and GTIG found data leaks from stolen organizational files published on a hacking group’s website on June 9, 2026.
The hacking group claimed to have accessed a variety of sensitive financial and personal records. These claims, shared via a post on the group’s website and cited by Mandiant and GTIG, included the theft of:
- Billing and payment records
- Credit card and payment details
- Student finance data
- Other sensitive organizational data
How does this fit into recent cyberattack trends?
The PeopleSoft exploit follows a series of large-scale data breaches targeting corporate and cloud infrastructure. In April 2026, toymaker Hasbro reported a breach that forced the company to take several systems offline for several weeks.
Earlier in the year, in February 2026, a hacking group posted 12.4 million customer records stolen from the car shopping site CarGurus. These incidents mirror a pattern of extortion-based attacks seen in late 2025.
In October 2025, a hacking group claimed to have stolen 1 billion records from cloud databases hosted by Salesforce. That group attempted to extort both Salesforce and the specific companies whose data had been compromised.
The current PeopleSoft campaign differs by specifically targeting the higher education sector, leveraging a vulnerability in enterprise resource planning (ERP) software to gain access to student and financial records.
Oracle continues to advise all PeopleSoft users to apply the June 10 security patches immediately to prevent further unauthorized remote code execution.