ShinyHunters Exploit Critical Oracle PeopleSoft 0-Day, Threaten Hundreds of Organizations

Text
A ransomware group known as ShinyHunters exploited a critical vulnerability in Oracle’s PeopleSoft software suite, targeting approximately 100 organizations and extorting at least one of them to pay a ransom in exchange for preventing the release of stolen data, according to researchers. The flaw, tracked as CVE-2026-35273, carries a severity rating of 9.8 out of 10, making it one of the most severe vulnerabilities of the year to be actively exploited.

Text
The attack, identified by Google’s Mandiant security team, leveraged a server-side request forgery (SSRF) flaw in Oracle’s PeopleSoft, allowing attackers to send malicious requests from a compromised server to internal systems within the targeted organizations. Oracle confirmed the vulnerability is remotely exploitable and has issued a temporary mitigation, but a full patch remains pending. Mandiant reported that victims are receiving extortion demands, though the exact financial impact of the attacks has not been disclosed.

Text
The ShinyHunters group, which has previously targeted enterprise software systems, appears to have exploited the vulnerability for over two weeks before Oracle publicly acknowledged it. The flaw’s high severity rating underscores its potential to enable widespread data breaches, as SSRF vulnerabilities can grant attackers access to internal networks, sensitive databases, and other critical infrastructure. Researchers noted that the attackers stole gigabytes of data from affected organizations, though the specific industries or geographic regions impacted remain unclear.

Text
Oracle’s response to the vulnerability has drawn scrutiny. While the company provided a stopgap mitigation, it has not yet released a permanent fix, leaving users exposed to potential further exploitation. A statement from Oracle’s security team emphasized that the mitigation “significantly reduces the risk” of exploitation but acknowledged the need for a full patch. The delay in addressing the flaw highlights ongoing challenges in balancing rapid response with thorough testing for enterprise software.

Text
The incident adds to a growing list of high-profile zero-day exploits targeting enterprise systems. In 2023, similar vulnerabilities in Microsoft Exchange and Fortinet’s FortiOS software led to large-scale breaches, prompting calls for faster patching processes. Security experts warned that the ShinyHunters attack underscores the risks of relying on legacy systems, particularly those with long deployment cycles like PeopleSoft. “Organizations must prioritize continuous monitoring and proactive threat hunting,” said a Mandiant spokesperson.

Text
The attack also raises questions about the broader implications for enterprise cybersecurity. SSRF vulnerabilities, while not new, remain a persistent threat due to their ability to bypass traditional perimeter defenses. Researchers at Mandiant noted that the ShinyHunters group’s use of this specific flaw suggests a targeted approach, potentially focusing on organizations with outdated software or insufficient internal security controls.

Text
As of June 12, 2026, Oracle has not provided a timeline for releasing a full patch. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging organizations to apply the available mitigation and monitor for signs of exploitation. The incident serves as a reminder of the evolving tactics used by ransomware groups, which increasingly combine data theft with extortion to maximize financial gain.

Text
For now, affected organizations are advised to review their PeopleSoft configurations, apply Oracle’s recommended mitigation, and conduct security audits to identify potential exposure. The case also highlights the need for greater transparency from software vendors in disclosing and addressing critical vulnerabilities. As one cybersecurity analyst noted, “The speed at which these flaws are exploited often outpaces the industry’s ability to respond, leaving users vulnerable until patches are released.”