PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

Ars Technica News

Summary

A critical PeopleSoft zero-day vulnerability is being actively exploited by the ShinyHunters group, compromising hundreds of organizations and stealing gigabytes of data, including 48GB from a single victim.

<p>One of the world’s most active ransomware groups exploited a critical vulnerability in Oracle’s PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said.</p> <p>The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle <a href="https://blogs.oracle.com/security/security-alert-cve-2026-35273-released">flagged</a> it. CVE-2026-35273, as the vulnerability is tracked, carries a severity rating of 9.8 out of 10, making the former zero-day one of the year’s most critical vulnerabilities to be exploited.</p> <p>Google’s Mandiant security team <a href="https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit">said</a> it’s an SSRF (server-side request forgery), a vulnerability that allows attackers to send requests from a susceptible server to systems used by the targeted organization. Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands.</p><p><a href="https://arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/">Read full article</a></p> <p><a href="https://arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/#comments">Comments</a></p>
Original Article
View Cached Full Text

Cached at: 06/12/26, 08:55 PM

# PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data Source: [https://arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/](https://arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/) “While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mandiant said\. \(DLS is short for data leak site\.\) An analysis of a bash script left in the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations\. Eventually, the threat actors established an outbound SSH connection to 176\.120\.22\.24, the IP address hosting ShinyHunters’ DLS\. The stolen data was first compressed using the zstd tool\. The DLS claimed to have recovered 48GB of data from a single victim\. [![](https://cdn.arstechnica.net/wp-content/uploads/2026/06/shinyhunters-dls-640x285.png)](https://cdn.arstechnica.net/wp-content/uploads/2026/06/shinyhunters-dls.png) A partially redacted section of the ShinyHunters’ DLS\. Credit: Mandiant A partially redacted section of the ShinyHunters’ DLS\.Credit: Mandiant ShinyHunters has been active since at least 2019\. Over the past several years, it has executed scores of hacks against some of the world’s largest companies, affecting millions of people downstream\. A small sample of victims includes Ticketmaster \(through the breach of Snowflake, which hosted the data\), Spain’s biggest bank, Santander, and[Salesforce](https://arstechnica.com/information-technology/2025/08/google-sales-data-breached-in-the-same-scam-it-discovered/)\(and, through it, Google and,[reportedly](https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/), many other companies\)\. ShinyHunters uses various techniques to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other forms of social engineering\. Mandiant and[Rapid7](https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273/)are providing detailed indicators of compromise\. They are also advising PeopleSoft customers on the steps they should take immediately\. Given ShinyHunters’ success rate, all PeopleSoft users would do well to heed the calls\.

Similar Articles

Exploiting vulnerabilities in Johnson and Johnson web apps

Hacker News Top

Security researcher Eaton discloses vulnerabilities in Johnson & Johnson's Campus Recruiting and Audit Tracking Management System web apps, exposing student data and allowing admin takeover due to flawed authentication using hardcoded API keys.

Anonymous GitHub account mass-dropping undisclosed 0-days

Hacker News Top

An anonymous GitHub account has released a large collection of proof-of-concept exploits for undisclosed 0-day vulnerabilities in numerous popular software packages, including 7zip, Docker, Firefox, FFmpeg, Ghidra, libssh2, Nmap, PHP, and VLC.

Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised

Hacker News Top

The npm account 'atool' was compromised, leading to the publication of 637 malicious versions across 317 packages. The payload harvests credentials, establishes persistence via AI coding tools and system services, and exfiltrates data through GitHub.

Mystery Microsoft bug leaker keeps the zero-days coming

Hacker News Top

An anonymous researcher released two Microsoft zero-day exploits, YellowKey (BitLocker bypass) and GreenPlasma (privilege escalation), after Patch Tuesday, posing serious security risks for organizations.