Critical PeopleSoft Zero-Day Vulnerability Exploited by ShinyHunters Ransomware Group

A critical vulnerability in Oracle’s PeopleSoft software suite has been actively exploited by a ransomware group known as ShinyHunters. This group targeted around 100 customers, with at least one organization confirmed to have paid an extortion fee to prevent the leaking of stolen data.

The vulnerability, identified as CVE-2026-35273, was exploited for over two weeks before Oracle acknowledged the issue. It has been assigned a severity rating of 9.8 out of 10, making it one of the most critical vulnerabilities exploited this year.

Google’s Mandiant security team identified the flaw as a server-side request forgery (SSRF). This type of vulnerability enables attackers to send requests from a susceptible server to internal systems used by the targeted organization. Oracle confirmed that the SSRF is remotely exploitable.

Victims have reportedly received extortion demands from ShinyHunters. While Oracle has provided a temporary mitigation to address the issue, a comprehensive patch for the critical flaw has not yet been fully released.

According to Ars Technica, researchers stated that gigabytes of data were stolen as a result of these exploits.