SUMMARYShinyHunters exploited a critical zero-day in Oracle PeopleSoft, tracked as CVE-2026-35273, to target about 100 customers and steal data from multiple organizations. Google’s Mandiant identified the flaw as a remotely exploitable server-side request forgery issue, and Oracle issued a stopgap mitigation while a full patch remains pending. Victims have received extortion demands, including at least one organization pressured not to have its stolen data leaked.
One of the world’s most active ransomware groups exploited a critical vulnerability in Oracle’s PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said.
The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle flagged it. CVE-2026-35273, as the vulnerability is tracked, carries a severity rating of 9.8 out of 10, making the former zero-day one of the year’s most critical vulnerabilities to be exploited.
Google’s Mandiant security team said it’s an SSRF (server-side request forgery), a vulnerability that allows attackers to send requests from a susceptible server to systems used by the targeted organization. Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands.