Oracle Mitigates Critical Zero-Day in PeopleSoft Suite Exploited by ShinyHunter for Data Theft

Oracle has mitigated a critical zero-day vulnerability in its PeopleSoft Suite, tracked as CVE-2026-35273, which enables unauthenticated remote code execution. The flaw has been actively exploited in data theft attacks attributed to a threat actor known as ShinyHunter. No specific dates for the vulnerability’s discovery or exploitation were provided, though Oracle issued a security notice addressing the issue. The vulnerability affects PeopleSoft applications, which are enterprise resource planning (ERP) systems used by organizations for human resources and financial management. The attacks have resulted in unauthorized data exfiltration, though the exact scope of impacted entities remains undisclosed.