PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

Key Points:

• The ransomware group ShinyHunters exploited a critical Oracle PeopleSoft vulnerability (CVE-2026-35273) with a severity rating of 9.8, targeting about 100 customers and extorting at least one for ransom to prevent data leaks.
• The vulnerability is an SSRF (server-side request forgery) flaw that allows attackers to send requests from a compromised server to internal systems; Oracle issued a mitigation but has not fully patched the issue.
• The University of Nottingham confirmed a data breach after ShinyHunters published gigabytes of stolen student data, highlighting that 68% of targeted organizations are in the higher education sector.
• ShinyHunters has been exploiting this vulnerability since May 27, compromising roughly 300 endpoints and leaving behind tools and scripts used for reconnaissance and data exfiltration.
• The group, active since 2019, has a history of high-profile attacks using various methods, prompting security firms Mandiant and Rapid7 to issue detailed indicators of compromise and urgent mitigation advice for PeopleSoft users.