Using this flaw, the threat actor allegedly stole data from 300 instances for over 100 organizations.
CVE-2026-35273: the vulnerability Oracle has warned about
Oracle published an advisory describing a critical zero-day in Oracle PeopleSoft PeopleTools tracked as CVE-2026-35273. The advisory states the flaw is "remotely exploitable without authentication" and that "If successfully exploited, this vulnerability may result in remote code execution." Oracle assigned a CVSS base score of 9.8 to the vulnerability and confirmed it affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Oracle said it has released emergency mitigations to address the flaw and that a patch is coming soon.
ShinyHunters data-theft wave tied to the zero-day
BleepingComputer reported that the extortion group ShinyHunters was exploiting a PeopleSoft zero-day to breach instances and steal data, a claim the outlet later identified as CVE-2026-35273. According to BleepingComputer, the PeopleSoft attacks left ransom notes purportedly from ShinyHunters. The outlet reported that ShinyHunters confirmed to them it was behind these attacks and claimed to use a "gadget chain" of old and zero-day flaws to breach PeopleSoft instances.
The source describes ShinyHunters as "a well-known threat actor that commonly breaches cloud SaaS instances, CRMs, and enterprise platforms that host large volumes of corporate data." After gaining access to an instance, the group will download the data and demand a ransom to prevent its public leak. BleepingComputer also noted ShinyHunters' links to prior attacks against SnowFlake, Salesforce, and third-party integration providers over the past year.
Confirmation and competing statements about active exploitation
Oracle has not stated in its advisory that the vulnerability is actively exploited. BleepingComputer reported the ShinyHunters exploitation and later concluded that the PeopleSoft zero-day it described is CVE-2026-35273. Charles Carmakal, CTO at Mandiant - Google Cloud, confirmed on LinkedIn that CVE-2026-35273 is actively exploited and stated that Oracle released mitigations for the flaw. BleepingComputer has reached out to Oracle with questions regarding this vulnerability and the attacks but has not received a response.
Indicators: IP addresses published by a researcher
Cybersecurity researcher "Michael R" found several exposed online directories containing attack-related tooling and shared IP addresses that BleepingComputer reports were used in the attacks. The addresses listed are:
- 142.11.200[.]186
- 142.11.200[.]187
- 142.11.200[.]188
- 142.11.200[.]189
- 142.11.200[.]190
- 108.174.202[.]99
- 176.120.22[.]24
If you are running Oracle PeopleSoft, the reporting "strongly advised" analyzing logs for any connections from the above IP addresses to determine whether you were targeted in these attacks.
What this means for Oracle PeopleSoft administrators, affected enterprises, and incident responders
Oracle PeopleSoft administrators and security teams should confirm whether their instances are running PeopleTools versions 8.61 or 8.62, apply the emergency mitigations Oracle has published, and prepare to install the forthcoming patch when it becomes available. The advisory's language that the vulnerability is "remotely exploitable without authentication" underscores the urgency of those steps.
Affected enterprises and incident response teams should search logs for the IP addresses published by the researcher and look for signs consistent with data exfiltration and ransom notes tied to ShinyHunters, as reported by BleepingComputer. The outlet's reporting that data was allegedly stolen from 300 instances across more than 100 organizations frames the potential scale of impact.
Threat intelligence analysts and defenders should incorporate Charles Carmakal's public confirmation and the researcher-provided indicators into ongoing monitoring and sharing, while noting that Oracle itself has not publicly stated active exploitation in its advisory.
Oracle has pushed emergency mitigations and announced a patch is coming soon; meanwhile, BleepingComputer's reporting and third-party confirmations make clear that organizations running PeopleSoft need to move rapidly to check versions, apply mitigations, and search logs for the listed IPs. The record in public reporting ends with mitigations in place and a promised patch — and with the concrete question that remains in the field: will the forthcoming patch arrive before more instances are compromised?
