A threat actor group known as ShinyHunters exploited a critical zero-day vulnerability in Oracle PeopleSoft for nearly two weeks before Oracle published its security advisory — and by then, sensitive corporate and employee data from multiple enterprises had already been exfiltrated. CVE-2026-35273, a remote code execution flaw rated 9.8 out of 10 on the CVSS severity scale, is now confirmed patched. But the damage from the two-week window of active exploitation may already be done. Here is what every organization running Oracle PeopleSoft needs to know and do right now.
What Happened: A Two-Week Exploitation Window
According to Google's Mandiant threat intelligence team, ShinyHunters' campaign exploiting CVE-2026-35273 was tracked between May 27 and June 9, 2026. Oracle did not publish its security advisory until June 10 — meaning enterprises were flying blind for nearly two full weeks while attackers actively exploited the flaw in production environments. The vulnerability is categorized as a remote code execution bug in PeopleSoft Enterprise PeopleTools. At a CVSS score of 9.8, it requires minimal authentication, can be executed remotely, and grants full system-level access once successful. ShinyHunters used the exploit to "gain unauthorized access and exfiltrate sensitive corporate and employee data" from targeted organizations, per Mandiant's tracking report. "Enterprise resource planning systems are prime targets," noted analysts at zecurit.com — an observation that extends to SAP, Workday, and any ERP system handling payroll, HR, and financial data. The timing coincides with Microsoft's June 2026 Patch Tuesday, as we covered in our breakdown of the 200-flaw Microsoft update — confirming that enterprise software is being targeted across the board.
Why the Two-Week Delay Is a Systemic Problem
The timeline reveals a structural vulnerability in how enterprise software vendors handle zero-day disclosures. Oracle's standard patch cycle (quarterly Critical Patch Updates) was not designed for the speed at which modern threat actors operate. By the time the June 10 advisory was published, ShinyHunters had already concluded their active campaign. Many security teams operated under the assumption that Oracle's enterprise software was too complex and obscure to be a high-priority target. The PeopleSoft attack demolishes that assumption. ERP systems are treasure troves: employee personal information, payroll records, financial data, and often credentials that enable lateral movement across corporate networks. This pattern — zero-day exploit, weeks of active exploitation, then patch release — is becoming the norm. AI-accelerated vulnerability discovery is outpacing the traditional patch calendar, leaving exposure windows that were not a major concern five years ago.
Who Is ShinyHunters and What Do They Do With Stolen Data?
ShinyHunters is a well-organized threat actor group specializing in large-scale data theft and monetization. Their model: breach high-value targets, exfiltrate databases, then sell stolen data on dark web marketplaces or extort victims directly. Previous ShinyHunters targets include AT&T, Santander Bank, and Ticketmaster, with stolen records appearing for sale within weeks of initial intrusion. Organizations that ran unpatched PeopleSoft systems between May 27 and June 9 should assume potential compromise and initiate incident response immediately. Waiting for confirmation of breach is not a viable strategy when the threat actor's monetization timeline is measured in weeks. As we covered in our AI and enterprise transformation analysis, the same AI tools improving business productivity are enabling more sophisticated threat actors.
Immediate Steps for Oracle PeopleSoft Users
Apply Oracle's June 10 patch for CVE-2026-35273 immediately if not already done — this is non-negotiable. Then audit access logs for unusual activity between May 27 and June 10: look for unexpected outbound data transfers, new administrative account creation, and access from unfamiliar IP ranges. Engage a threat intelligence firm to run indicators of compromise (IoCs) associated with ShinyHunters against your network logs — Mandiant has published these IoCs. Notify your organization's legal and compliance teams, as data exfiltration from PeopleSoft almost certainly involves personal employee data triggering breach notification requirements under GDPR, CCPA, and state-level US data privacy laws.
What This Means for You
If your organization runs Oracle PeopleSoft, apply the CVE-2026-35273 patch today. Then audit May 27-June 9 logs for ShinyHunters' known intrusion patterns. Even if you find no evidence of breach, this incident mandates acceleration of your ERP security program: implement network segmentation around PeopleSoft, require MFA on all admin accounts, and establish a formal process for emergency out-of-band patching when critical zero-days emerge between quarterly windows.
Frequently Asked Questions (FAQs)
Q: What is CVE-2026-35273 in Oracle PeopleSoft?
A: CVE-2026-35273 is a critical remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools, rated 9.8/10 on the CVSS severity scale. It allows attackers to execute code remotely without significant authentication, giving full system-level access to unpatched systems.
Q: Was my Oracle PeopleSoft data stolen?
A: If your organization ran unpatched PeopleSoft systems between May 27 and June 9, 2026, you should assume potential compromise and initiate incident response immediately. Apply the patch, audit your access logs for that period, and check Mandiant's published ShinyHunters IoCs against your network logs.
Q: Who are ShinyHunters and are they dangerous?
A: ShinyHunters is a sophisticated threat actor group with a documented history of large-scale data theft from enterprises including AT&T, Santander Bank, and Ticketmaster. They monetize stolen data through dark web sales or direct extortion. They are considered one of the most active and financially motivated data theft groups operating today.
Q: How do I patch Oracle PeopleSoft for CVE-2026-35273?
A: Apply Oracle's June 10, 2026 out-of-band security advisory patch for CVE-2026-35273 through Oracle's standard patching portal. If you're on a supported PeopleSoft version and subscribed to Oracle's security alerts, you should have received notification. Contact Oracle Support directly if you haven't received the advisory.
Enterprise software security is no longer a slow-moving, quarterly-patch-cycle world. ShinyHunters exploited a 9.8-severity PeopleSoft flaw for 13 days before a fix was available — and that window cost multiple enterprises their most sensitive data. Real-time threat monitoring and the ability to patch out of cycle are now table-stakes capabilities, not optional investments.
