CVE-2026-35273: Oracle PeopleSoft Zero-Day Exploited

The vulnerability poses a severe threat to organizations running PeopleSoft for human resources, finance, and supply chain management. Sensitive employee data, payroll information, and corporate records face immediate risk. This attack pattern mirrors other recent enterprise zero-days, including the Check Point VPN zero-day exploited by Qilin ransomware.


Why Is PeopleSoft a High-Value Target?

PeopleSoft handles some of the most sensitive data any organization possesses. Oracle acquired the platform in 2005, and it remains a cornerstone ERP solution deployed across thousands of organizations worldwide.

Major universities, government agencies, and Fortune 500 companies rely on PeopleSoft daily. The software typically stores payroll information, social security numbers, banking details, and confidential HR records. A single breach can expose millions of individuals. Similar high-value targets have drawn attention from sophisticated threat actors, as seen in Windows Hyper-V elevation of privilege attacks.

Who Is ShinyHunter?

ShinyHunter has established itself as one of the most prolific data theft operations in recent years. The group steals massive datasets and either sells them on dark web marketplaces or uses them for extortion. Their targeting of PeopleSoft signals a strategic shift toward enterprise systems.

Previous high-profile ShinyHunter breaches include attacks against Ticketmaster, AT&T, and Microsoft. They consistently monetize stolen data within days of exfiltration. Similar threat actor sophistication appeared in the Microsoft Exchange Server zero-day attacks.

How Does the CVE-2026-35273 Exploit Work?

The vulnerability appears to reside in PeopleSoft's web-facing components. Oracle has not disclosed complete technical details to prevent further exploitation. However, the unauthenticated nature suggests a flaw in input validation or authentication bypass within the PeopleTools framework.

Remote code execution vulnerabilities of this severity typically allow attackers to execute arbitrary commands with application server privileges. This enables lateral movement throughout corporate networks. Attackers can then access connected databases containing sensitive records, a pattern documented in CVE-2025-0282 affecting Ivanti Connect Secure. Organizations should review network segmentation strategies to limit post-exploitation movement.

Which PeopleSoft Versions Are Affected?

Oracle has not publicly disclosed all affected versions. Contact Oracle Support directly to confirm whether your specific PeopleSoft and PeopleTools versions are vulnerable. On-premises installations face the highest risk because they require manual patching, while cloud-hosted instances may already have server-side mitigations applied.

Customers running on-premises installations must manually apply patches or workarounds. Oracle is actively working with affected customers through support channels.

What Are the Compliance Risks for CVE-2026-35273?

Organizations affected by CVE-2026-35273 face potential regulatory penalties under multiple frameworks. The implications extend far beyond immediate data theft into sustained legal and financial consequences.

GDPR violations can result in fines up to 4% of annual global revenue, as specified in GDPR Article 83. Healthcare organizations face HIPAA breach notification requirements, which mandate notifying HHS within 60 days for breaches affecting 500 or more individuals.

PeopleSoft's prevalence in healthcare and education sectors increases regulatory exposure significantly. A breach exposing student records triggers FERPA obligations. When we reviewed similar incidents, organizations that delayed response faced compounded penalties. The Windows OLE remote code execution vulnerability created comparable compliance challenges for affected enterprises.

How Can Organizations Protect Against This Threat?

Organizations running PeopleSoft should take immediate action. Time matters because ShinyHunter monetizes stolen data quickly, often within days of initial compromise.

Priority actions:

1. Contact Oracle Support immediately to obtain emergency patches or mitigations
2. Audit access logs for signs of unauthorized access or unusual query patterns
3. Isolate PeopleSoft systems from the broader network where possible
4. Implement additional authentication layers in front of web-facing components
5. Monitor dark web channels for any indication that organizational data has been compromised

Security teams should treat this as a critical incident. Consider reviewing your patch management processes using lessons from June 2024 Patch Tuesday, which addressed multiple zero-days simultaneously. The Google Chrome zero-day patching process also offers a model for rapid response.

How Do I Check for CVE-2026-35273 Compromise?

Start by reviewing authentication logs for your PeopleSoft web components. Look for failed login attempts, unusual source IP addresses, and access patterns outside normal business hours. Large data exports or atypical query volumes often indicate active exfiltration.

Log analysis priorities:

• Unusual authentication attempts against PeopleSoft web components
• Large data exports or atypical query volumes
• New user accounts or privilege escalations
• Outbound connections to unfamiliar IP addresses
• File system changes in PeopleSoft installation directories

If you detect suspicious activity, preserve logs before taking remediation steps. Engage incident response resources and consider legal counsel given the regulatory implications. Organizations that experienced Windows CLFS driver elevation attacks found that early log preservation proved critical for forensic analysis.

ShinyHunter Tactics and Mitigation Priority Matrix

FAQ

What is CVE-2026-35273 and why is it critical?

CVE-2026-35273 is a critical zero-day vulnerability in Oracle PeopleSoft Suite that allows unauthenticated remote code execution. Attackers can exploit this flaw without any credentials to execute arbitrary commands on affected servers, potentially accessing all data stored in connected PeopleSoft databases. Oracle confirmed active exploitation by the ShinyHunter threat group, which has a documented history of monetizing stolen enterprise data within days. Organizations should treat this as an emergency because the combination of unauthenticated access and remote code execution represents the most severe vulnerability classification possible.

Is my PeopleSoft version affected by CVE-2026-35273?

Oracle has not publicly disclosed all affected versions to prevent further exploitation details from reaching attackers. Contact Oracle Support directly to confirm whether your specific PeopleSoft and PeopleTools versions are vulnerable and to receive appropriate patches. On-premises installations face the highest risk because they require manual patching and configuration changes, while cloud-hosted instances may already have server-side mitigations applied automatically. Oracle is prioritizing support for customers with confirmed vulnerable configurations, so early contact ensures faster remediation assistance.

How do I check if my organization has been compromised by ShinyHunter?

Review access logs for unusual authentication attempts, large data exports, or atypical query patterns that deviate from established baselines. Check for new user accounts created after the vulnerability disclosure date or unexpected privilege changes to existing accounts. Monitor outbound network connections from PeopleSoft servers to identify potential data exfiltration channels. Preserve all logs before beginning remediation and engage incident response resources if you detect suspicious activity, as evidence preservation is critical for both forensic analysis and potential regulatory reporting requirements.

What data could ShinyHunter have stolen from PeopleSoft systems?

PeopleSoft typically stores highly sensitive information including social security numbers, payroll data, direct deposit banking details, employee home addresses, performance reviews, and confidential HR disciplinary records. Financial modules may contain vendor payment information, corporate accounting data, and procurement records with supplier banking details. The exact exposure depends on which PeopleSoft modules your organization uses and how data retention policies were configured. ShinyHunter has historically sold complete database dumps on dark web marketplaces, meaning all accessible data should be considered potentially compromised.

What regulatory notifications are required after a CVE-2026-35273 breach?

Organizations may face notification requirements under GDPR, HIPAA, FERPA, and various state privacy laws depending on the data types exposed and the residency of affected individuals. Healthcare organizations must notify HHS within 60 days for breaches affecting 500 or more individuals under HIPAA breach notification rules. GDPR requires notification to supervisory authorities within 72 hours of becoming aware of a personal data breach. Consult legal counsel immediately to determine your specific obligations, as failure to meet notification deadlines can result in additional penalties separate from the breach itself.