Oracle Warns PeopleSoft Customers After Critical Zero-Day Exploited

Oracle has warned customers of a critical zero-day vulnerability, CVE-2026-35273, in its PeopleSoft enterprise resource planning (ERP) software, versions 8.61 and 8.62. The flaw enables unauthenticated remote code execution (RCE), allowing attackers to compromise vulnerable systems. Google Threat Intelligence Group and Mandiant researchers confirmed active exploitation between May 27 and June 9, with the campaign targeting universities, businesses, and other large institutions. The vulnerability was disclosed on June 10, with Oracle issuing an emergency advisory and mitigation guidance. Researchers attribute the attacks to ShinyHunters, a group known for targeting third-party vendors and stealing sensitive data. Google alerted over 100 organizations, 68% of which were in the education sector, indicating a primary focus on universities and colleges. ShinyHunters previously breached Canvas, a widely used learning management platform, in May. The group’s tactics involve data theft and ransom demands, raising concerns about potential follow-up extortion attempts. The vulnerability has a CVSS base score of 9.8, classified as critical, with evidence suggesting exploitation occurred before public disclosure. Organizations using PeopleSoft should assume compromise and take immediate action, including reviewing logs and investigating suspicious activity. Oracle’s advisory emphasizes the urgency of patching or applying mitigations to prevent further attacks. The scope of the campaign remains under investigation, but initial findings suggest widespread targeting across industries.