Massive data theft follows zero-day flaw in Oracle PeopleSoft

June 12, 2026 at 10:34 PM

•

1 min read

Massive data theft follows zero-day flaw in Oracle PeopleSoft — Photo: Ars Technica

TL;DR Summary

A critical PeopleSoft zero-day (CVE-2026-35273) was exploited by the ShinyHunters ransomware group to target about 100 organizations, stealing gigabytes of data and pressuring victims for ransom. The flaw is a remotely exploitable SSRF vulnerability, and Oracle has issued mitigations but not a full patch yet. Roughly 68% of affected entities are in higher education, including the University of Nottingham, with attackers mapping configurations and exfiltrating data to a data-leak site, where some victims’ data was published; Mandiant and Rapid7 are providing IOCs and remediation guidance.

Topics:business #cve-2026-35273 #data-breach #peoplesoft #shinyhunters #ssrf #technology

Share this article

PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data Ars Technica
Oracle warns of security bug that hackers abused to breach 100+ companies TechCrunch
Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert Help Net Security
Colleges hit in cyberattack by group behind Canvas breach, Google says Yahoo
ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day The Register

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

90%

867 → 85 words

Want the full story? Read the original article

Read on Ars Technica

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights