Oracle has warned customers of a critical PeopleSoft vulnerability, tracked as CVE-2026-35273, being actively exploited by the ShinyHunters extortion group. The flaw, rated CVSS 9.8, allows remote code execution without authentication, posing a severe risk to enterprises relying on PeopleSoft for operations including supply chain and human resources management.
CVE-2026-35273: A Zero-Day Under Active Exploitation
According to Oracle's June 10, 2026 security advisory, the vulnerability is remotely exploitable without authentication and may result in remote code execution. Versions 8.61 and 8.62 of Oracle PeopleSoft are affected. Researchers from Google's Mandiant disclosed that they tracked exploitation of the flaw between May 27 and June 9, 2026, meaning it was used as a zero-day before Oracle released a patch.
ShinyHunters, a known extortion group, is reportedly behind the attacks. The group claims to have compromised more than 100 organizations and exfiltrated data from around 300 PeopleSoft instances. Victims have received ransom demands signed by ShinyHunters threatening to release stolen data unless payment is made. However, one researcher noted the possibility of "a group impersonating them," indicating the attackers may not have taken full credit yet.
Google Mandiant Alerts Over 100 Organizations
Google's Mandiant informed over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Of these, 68% were higher education institutions, and the majority of victims were based in the United States. Mandiant urged organizations to check logs for suspicious access between late May and early June and to apply Oracle's security update regardless of whether an attack has been detected.
| PeopleSoft Version | Status | Recommended Action |
|---|---|---|
| 8.61 | Affected | Apply patch immediately |
| 8.62 | Affected | Apply patch immediately |
Immediate Actions for Oracle PeopleSoft Users
Oracle is urging users to take "immediate action" to apply the security patch. The advisory emphasizes the critical nature of CVE-2026-35273, which carries a CVSS score of 9.8 out of 10. Organizations that have not yet patched should prioritize this update, especially those in sectors like higher education, public sector, and business services.
Mandiant also recommends reviewing access logs for any unauthorized activity from late May 2026 onward. Given the zero-day nature of the exploit, even organizations not yet contacted by Mandiant should assume potential exposure and act swiftly.
Implications for International Trade Operations
While the primary victims reported are academic institutions, enterprises using PeopleSoft for trade-related functions — such as customs compliance, freight management, and supplier portals — are equally at risk. A successful exploit could lead to data exfiltration of sensitive commercial information, including shipping manifests, contract terms, and partner databases. Ransom demands could disrupt operations if payment is withheld or data is leaked.
For international trade executives, this attack highlights the need to verify that enterprise resource planning (ERP) systems are patched and monitored. The vulnerability's remote, unauthenticated nature means that any exposed PeopleSoft instance could be targeted, regardless of geographic location. Companies should coordinate with their IT security teams to confirm patch status and review Mandiant's threat intelligence.
What to Watch
The authenticity of ShinyHunters' involvement remains under investigation, but the exploitation window (May 27–June 9) predates Oracle's patch. Organizations should monitor Mandiant's updates and Oracle's advisory for further intelligence. The next key milestone will be evidence of whether data from trade-related entities has been publicly leaked.
Sources:
