Oracle Issues Emergency Guidance as PeopleSoft Flaw Linked to Widespread Data Theft
A critical security vulnerability in Oracle’s PeopleSoft software has been linked to a large cyber campaign that may have affected more than 100 organizations, prompting urgent warnings from Oracle and cybersecurity investigators.
Oracle issued a security alert for CVE-2026-35273, a critical vulnerability affecting PeopleSoft PeopleTools versions 8.61 and 8.62. The company said the flaw can be exploited remotely and does not require authentication, meaning attackers can potentially execute malicious code without valid credentials.
Oracle has provided mitigation guidance and urged customers to take immediate action. The company characterized implementation of those protections as a high-priority measure to reduce risk exposure.
The advisory followed reports that the ShinyHunters cybercrime group has been exploiting the vulnerability in attacks against organizations running PeopleSoft environments. PeopleSoft is widely used by enterprises, universities and governments to manage functions like HR, payroll, finance and campus administration.
Google-owned cybersecurity firm Mandiant said it notified more than 100 organizations worldwide that may have been exposed during the campaign. Most of the affected entities were located in the US, and more than two-thirds were colleges and universities.
Mandiant is advising organizations to disable or remove vulnerable PeopleSoft Environment Management components where possible and closely monitor outbound network traffic for connections to unknown internet destinations.
According to Mandiant, attackers targeted PeopleSoft servers between late May and early June. Some organizations blocked the activity or remediated vulnerable systems before data was taken. Others suffered breaches that resulted in stolen data being posted on infrastructure associated with the attackers.
One confirmed victim is the University of Nottingham, which disclosed that a substantial amount of student-related information was compromised. The university said the incident is under criminal investigation and that it is working with the platform provider and law enforcement authorities.
Exploitation of the Environment Management Component
Researchers linked the attacks to exploitation of the Environment Management component within PeopleSoft. The vulnerability carries a severity score of 9.8, placing it among the most serious software security issues.
Attackers reportedly deployed customized MeshCentral agents disguised as legitimate cloud services to maintain access to compromised environments. Security researchers noted that this technique can make malicious activity harder to detect because the software resembles legitimate remote management tools.
Reports from multiple security firms indicate the attackers focused on large numbers of internet-facing PeopleSoft systems. Researchers at Censys identified roughly 40 publicly accessible PeopleSoft hosts worldwide, describing that figure as a conservative estimate.
The attackers claimed they targeted roughly 300 PeopleSoft instances belonging to more than 100 organizations. They also asserted that both previously known vulnerabilities and newly discovered weaknesses were used during the campaign.
The campaign follows a pattern established by ShinyHunters in previous attacks against organizations that shared common software platforms. The group has repeatedly sought access to centralized business applications, stolen data from multiple victims, and then used the information as leverage in extortion attempts.
