Oracle has issued an out-of-band advisory for a critical vulnerability in PeopleSoft that allows unauthenticated remote code execution, amid reports of the ShinyHunters hacker group exploiting this and other vulnerabilities to target over 300 PeopleSoft instances across various organizations. While Oracle has provided mitigations, no full patch has been released, and the company has not confirmed whether this vulnerability has been actively exploited.
Oracle has issued an urgent advisory for a critical PeopleSoft vulnerability (CVE-2026-35273) that allows remote code execution, stressing immediate implementation of mitigations due to potential exploitation by the ShinyHunters group. Given the absence of a full patch, it's crucial for organizations using PeopleSoft to prioritize these mitigations and review their security posture against potential chained attacks involving zero-day vulnerabilities.