Friday, June 12, 2026

Oracle warns customers of critical PeopleSoft attack after hundreds of servers hacked by apparent ShinyHunters data theft attacks

oracle-warns-customers-of-critical-peoplesoft-attack-after-hundreds-of-servers-hacked-by-apparent-shinyhunters-data-theft-attacks
Oracle warns customers of critical PeopleSoft attack after hundreds of servers hacked by apparent ShinyHunters data theft attacks
  • ShinyHunters likely behind the CVE-2026-35273 attack on Oracle’s PeopleSoft
  • Versions 8.61 and 8.62 affected, users urged to take “immediate action”
  • Google’s Mandiant informed over 100 organizations

Oracle PeopleSoft servers, used by universities, businesses and public sector organizations, are being targeted in a new attack by extortion group ShinyHunters, researchers have revealed.

The attackers claim to have compromised more than 100 organizations, and exfiltrated data from around 300 PeopleSoft instances, by exploiting a vulnerability tracked as CVE-2026-35273.

Victims have reportedly received demands signed by ShinyHunters threatening to release stolen data, unless a ransom is paid, with another researcher adding that it could be “a group impersonating them,” implying the group has not yet taken accountability for the attacks.

Oracle PeopleSoft customers vulnerable to attacks and ransom demands

“This vulnerability is remotely exploitable without authentication,” Oracle added in a June 10 security advisory. “If successfully exploited, this vulnerability may result in remote code execution.”

Separately, researchers from Google‘s Mandiant they were tracking the “critical remote code execution vulnerability”, rated a CVSS 9.8 score, between May 27 and June 9 2026. “Because this activity predates Oracle’s June 10, 2026 advisory, the vulnerability was exploited as a zero-day,” the researchers added.

Oracle is urging users to take “immediate action” to apply the patch, which fixes versions 8.61 and 8.62.

Besides Oracle’s advisory, Google says it alerted over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Two-thirds (68%) of them were higher education institutions, and most of the victims were also based in the US.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Mandiant urges users to check logs for suspicious access between late May and early June, and to apply Oracle’s security update regardless of whether or not they’ve been attacked.

Via BleepingComputer

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts