Oracle has addressed a critical zero-day vulnerability in its PeopleSoft Suite, tracked as CVE-2026-35273, which allows unauthenticated remote code execution and has been actively exploited in data theft attacks by the ShinyHunters group. The vulnerability affects versions 8.61 and 8.62 of PeopleTools, prompting Oracle to release emergency mitigations while a patch is forthcoming.
Oracle has issued emergency mitigations for a critical zero-day vulnerability (CVE-2026-35273) in PeopleSoft PeopleTools, exploited by the ShinyHunters group for data theft. With a CVSS score of 9.8, this flaw allows remote code execution without authentication. For immediate protection, ensure access to vulnerable endpoints is restricted, scrutinize logs for suspicious activity, and inspect systems for signs of compromise, such as unauthorized webshells or modified XML files.