A critical zero-day vulnerability, identified as CVE-2026-35273, has been discovered in Oracle PeopleSoft PeopleTools, posing a significant security threat as it is currently being exploited. This flaw, which allows remote code execution without requiring authentication, affects PeopleTools versions 8.61 and 8.62, and potentially older versions. Oracle has issued an urgent security alert, although it remains unclear if a patch is available, as access to the relevant document is restricted to customers with support accounts.
In a related development, the cyber extortion group ShinyHunters has claimed responsibility for breaching Oracle PeopleSoft servers, impacting over 100 organizations, primarily educational institutions. Among the affected entities is the University of Nottingham, which has acknowledged a cyber incident involving the theft of personal and academic data of nearly half a million students. The attackers reportedly exploited a combination of old and zero-day vulnerabilities.
Investigations have revealed exposed directories and tools used in these attacks, with evidence suggesting the attackers possess extensive knowledge of PeopleSoft systems. A list of IPs and domains linked to the attacks has been shared to aid PeopleSoft administrators in identifying potential compromises.
