PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

The ransomware group ShinyHunters exploited a critical zero-day vulnerability, tracked as CVE-2026-35273, in Oracle's PeopleSoft software suite to target approximately 100 customers. This vulnerability, rated 9.8 out of 10 in severity, allowed attackers to perform server-side request forgery (SSRF), enabling them to send requests from a compromised server to internal systems of targeted organizations. ShinyHunters utilized this exploit for over two weeks before Oracle officially acknowledged the flaw. Google's Mandiant security team confirmed that victims are now receiving extortion demands, with at least one customer already targeted for data exfiltration. Oracle has provided a temporary mitigation but has not yet released a full patch for the SSRF vulnerability, which is remotely exploitable. The exploitation has resulted in the theft of gigabytes of data from affected organizations.