If you run Oracle’s PeopleSoft software in your organization, you need to pay attention to what’s happening right now.
A security flaw in PeopleSoft so serious it’s been given a near-perfect severity score has been actively exploited by one of the world’s most aggressive ransomware groups. And here’s the particularly uncomfortable part: the attackers were at it for more than two weeks before Oracle even flagged the vulnerability.
The vulnerability, tracked as CVE-2026-35273, carries a severity rating of 9.8 out of 10. That’s as bad as it gets. Security researchers at Google’s Mandiant team confirmed it’s an SSRF, or server-side request forgery, which essentially lets attackers send requests from a vulnerable server to other systems within the target’s network. Oracle has issued a temporary mitigation but has yet to deliver a full patch.
Who’s Behind This?
The group exploiting this thing goes by the name ShinyHunters. If that sounds familiar, it should be. These folks have been running wild across the internet since at least 2019, hitting some pretty big names. We’re talking Ticketmaster, Spain’s biggest bank Santander, and Salesforce, which in turn exposed data from Google and numerous other companies. They’ve stolen OAuth tokens, exploited cloud misconfigurations, run supply chain attacks, and yes, they’ve also been known to use old-fashioned social engineering.
They’ve been at it again since May 27, and according to Mandiant, they’ve targeted roughly 300 endpoints belonging to around 100 organizations. Here’s something that should make university IT administrators lose sleep: about 68 percent of the victims were in higher education.
The University of Nottingham confirmed just this week that it was one of those victims. A “significant” amount of student data ended up in ShinyHunters’ hands, and the group made good on their threat to leak it. They claimed to have recovered 48GB of data from a single victim. That’s not small change.
How Did This Happen?
The attackers left behind a staging server that gave researchers a pretty clear picture of what they were up to. A bash script left in that environment showed the attackers mapping out PeopleSoft configurations, poking around process scheduler settings, and digging into WebLogic server XML configurations. Eventually, they established an outbound SSH connection to an IP address hosting ShinyHunters’ data leak site. The stolen data was compressed using the zstd tool before being exfiltrated.
Here’s what makes this particular episode so frustrating: the attackers were essentially waving a flag for weeks. Mandiant noted that the group “exposed several directories revealing ongoing targeting of PeopleSoft” and even left a staging server sitting there with their tools exposed. Some organizations caught it and blocked the activity. Others weren’t so lucky.
What Should PeopleSoft Users Do?
Mandiant and Rapid7 have published detailed indicators of compromise, and they’re urging PeopleSoft customers to take immediate action. Given ShinyHunters’ track record of successfully extorting victims, this isn’t the kind of thing you want to sleep on.
The frustrating reality is that we’re dealing with a vulnerability that was being actively exploited while Oracle was presumably working on a fix. That’s the nature of zero-day exploits, but it doesn’t make it any less alarming for organizations that are suddenly in the crosshairs.
If your organization runs PeopleSoft, now would be a very good time to check those Mandiant and Rapid7 advisories. The window between a vulnerability being discovered and one of these groups exploiting it keeps getting shorter, and the consequences keep getting bigger.
