PeopleSoft zero-day hit 100 organisations, Mandiant says

Oracle’s PeopleSoft customers are dealing with a critical flaw that attackers had already been using for more than two weeks before it was disclosed publicly, according to Google’s Mandiant threat-intelligence team. Mandiant tied the activity to ShinyHunters and said about 100 organisations were affected, with universities prominent among the victims.

Google’s Threat Intelligence Group said it saw activity from 27 May to 9 June 2026 that was consistent with exploitation of CVE-2026-35273 in PeopleSoft Environment Management. Higher education accounted for 68 per cent of affected organisations. That matters because PeopleSoft and similar ERP systems sit behind payroll, student records, finance and identity workflows, making even an obscure-looking component valuable to attackers.

Oracle described the issue as a critical, unauthenticated vulnerability that could lead to remote code execution. In an Oracle security alert, the company gave CVE-2026-35273 a CVSS v3.1 base score of 9.8 and told customers to apply the mitigation in its advisory.

This vulnerability has a CVSS v3.1 Base Score of 9.8. If successfully exploited, this vulnerability may result in remote code execution.
— Oracle Security

Oracle’s note did not name ShinyHunters. Mandiant did.

The two accounts are not identical, but they are both useful for defenders. Mandiant described the campaign as exploitation of a server-side request forgery condition in PeopleSoft Environment Management, while Oracle’s alert framed the bug in terms of remote-code-execution risk. In practice, security teams need both views: the vendor severity rating and the threat-intelligence account of how the flaw was used.

Ars Technica reported that attackers targeted more than 300 internet-facing endpoints across roughly 100 organisations. In one case, they claimed to have taken 48GB of data, the report said. The figures point to a campaign built around theft and pressure on victims, well beyond proof-of-concept scanning.

ShinyHunters has been linked to earlier large-scale data-theft and extortion campaigns. The group told BleepingComputer the intrusion path involved a “gadget chain” combining older flaws with the zero-day. For defenders, that detail is uncomfortable but familiar: one new vulnerability can become much more useful when older exposure is still sitting on the edge of the network.

For Australian universities and large enterprises, the PeopleSoft case is less about one vendor and more about exposure management around business systems that are hard to take offline. A two-week exploitation window gives attackers time to map internet-facing instances, test working exploit chains and start stealing data before many organisations have finished triaging the advisory.

Oracle customers should review the security alert, apply the mitigation and check PeopleSoft environments for indicators matching Mandiant’s write-up. Teams that cannot patch immediately should reduce internet exposure, examine access logs covering late May and early June, and treat unexplained PeopleSoft activity as a potential data-theft event until ruled out.