Oracle PeopleSoft zero-day exploited in massive ransomware campaign

A recently disclosed zero-day vulnerability in Oracle’s PeopleSoft enterprise software has become the weapon of choice for cybercriminals, allowing attackers to exfiltrate massive amounts of sensitive data from hundreds of organizations before issuing extortion demands.

Ransomware group ShinyHunters leverages critical PeopleSoft flaw

Security researchers at Google’s Mandiant division have identified the ShinyHunters ransomware group as the primary threat actor exploiting an unpatched vulnerability in Oracle’s PeopleSoft suite. The group has been actively targeting approximately 100 organizations across multiple sectors, including education and enterprise, for over two weeks before Oracle publicly acknowledged the issue.

The flaw, now tracked as CVE-2026-35273, carries a severity rating of 9.8 out of 10, placing it among the most critical vulnerabilities disclosed in recent years. Experts describe it as a server-side request forgery (SSRF), which enables attackers to send unauthorized requests from a compromised server to internal systems within targeted organizations. This capability allows cybercriminals to bypass security controls and access sensitive data stored on restricted networks.

Extortion demands follow massive data theft

According to Mandiant’s threat intelligence report, victims who have fallen prey to the attack are receiving extortion messages demanding payment in exchange for preventing the publication of stolen information. While the exact number of affected organizations remains undisclosed, sources confirm that multiple victims have confirmed receiving ransom notes following the compromise.

Oracle has issued an interim mitigation guide to help administrators reduce exposure while the company develops a permanent patch. The tech giant has emphasized that the vulnerability is remotely exploitable without requiring user interaction, significantly increasing the risk of widespread attacks. Despite the urgency, a full patch has not yet been released as of this reporting.

Immediate mitigation steps for affected organizations

Security teams are urged to implement the following measures immediately to reduce the risk of exploitation:

• Apply Oracle’s temporary mitigation measures as outlined in the security alert.
• Review outbound network traffic from PeopleSoft servers for signs of unauthorized requests.
• Isolate PeopleSoft environments from other corporate networks to contain potential breaches.
• Conduct forensic analysis to determine if data exfiltration has already occurred.
• Monitor for extortion attempts, particularly in sectors frequently targeted by ransomware groups.

The evolving nature of this threat highlights the critical importance of rapid patch management and proactive threat hunting. As cybercriminals increasingly target enterprise software vulnerabilities, organizations must prioritize both prevention and rapid response to mitigate potential damage.

With no official patch yet available, the cybersecurity community continues to monitor the situation closely, anticipating further developments as Oracle accelerates its remediation efforts.