Oracle has issued a security alert to customers about a critical vulnerability affecting PeopleSoft environments after the notorious threat actor ShinyHunters claimed it used a previously unknown flaw to compromise over 100 entities.
The vulnerability CVE-2026-35273 is in Oracle PeopleSoft PeopleTools, and has a CVSS score of 9.8/10. “Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution,” the alert read.
ShinyHunters said they exploited a zero-day vulnerability in Oracle PeopleSoft systems to gain access to customer environments and steal sensitive data.
Oracle released guidance for customers, while stating there is no evidence of a compromise of Oracle Cloud infrastructure.
According to researchers and response teams, the alleged attacks were aimed at customer-managed PeopleSoft installations, and not Oracle Cloud services. It has encouraged companies using impacted applications to conduct configuration reviews, deploy security updates, and check for any signs of intrusion.
“We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure. Oracle always recommends that customers remain on actively-supported versions and apply all Critical Patch Updates, Critical Security Patch Updates and Security Alerts without delay.”
John Carberry, Solution Sleuth, at Xcape Inc, says: “This campaign marks a critical shift as complex Enterprise Resource Planning (ERP) applications, long protected by operational obscurity, are now being targeted with automated, industrial-scale zero-day exploitation. The active weaponization of CVE-2026-35273 demonstrates that ShinyHunters can effortlessly bypass perimeter defenses to achieve unauthenticated remote code execution, exposing central repositories of institutional, financial, and payroll data.”
He says security leaders must look past Oracle’s assurance regarding cloud infrastructure and realize that customer-managed environments running PeopleTools versions 8.61 or 8.62 are under active siege.
“Organizations must treat this as a high-priority incident response action: immediately deploy the prescribed perimeter network mitigations, strictly audit outbound server traffic for rogue command-and-control protocols like MeshCentral, and force a rotation of core application service credentials stored within local server configuration files.”
Carberry offers several takeaways:
- Perimeters are completely bypassed: The vulnerability allows unauthenticated remote code execution over HTTP or HTTPS via the Environment Management component, rendering traditional boundary defenses useless without immediate virtual patching or endpoint isolation.
- Inspect the process scheduler: Post-compromise activity involves targeted automated scripts extracting database connection secrets from local configuration files, specifically psappsrv.cfg, necessitating comprehensive credential rotation.
- Audit outbound traffic: Defenders must analyze firewall logs and NetFlow data for unusual outbound SMB or SSH connections, paying particular attention to unauthorized MeshCentral management utility agents masquerading as legitimate cloud endpoints.
“It is a good thing Oracle spent decades establishing its complex licensing model, because it certainly did not spend that time adding basic authentication to its core application management endpoints,” he ended.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.