ShinyHunters Exploits Critical Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Ransom 100+ Victims

by

PeopleSoft 0-Day Exploit: How ShinyHunters Stole Gigabytes and Why Oracle’s Patch Is Too Little, Too Late

ShinyHunters, one of the world’s most aggressive ransomware groups, exploited a critical server-side request forgery (SSRF) vulnerability in Oracle’s PeopleSoft suite (CVE-2026-35273, CVSS 9.8) to compromise at least 100 organizations over two weeks before Oracle issued a stopgap mitigation. The flaw, which allows attackers to force targeted systems to make unauthorized internal requests, has already resulted in extortion demands and data theft totaling gigabytes across victims. Oracle’s delayed patch—combined with the group’s proven ability to weaponize enterprise software flaws—raises urgent questions about how organizations can defend against such attacks when vendors move slower than attackers.

The exploit chain begins with an SSRF attack vector that bypasses traditional perimeter defenses, leveraging PeopleSoft’s exposed web interfaces to pivot into internal networks. According to Google’s Mandiant threat intelligence team, the attackers used this vulnerability to exfiltrate data from at least one victim’s environment before demanding a ransom. The fact that this flaw remained unpatched for over two weeks—despite its severity rating—highlights a systemic issue in how enterprise software vendors prioritize and disclose vulnerabilities.

Why This Isn’t Just Another Oracle Bug—It’s a Trust Erosion Event

PeopleSoft isn’t some niche legacy system. It powers HR, financials, and student administration for universities, governments, and Fortune 500 companies. When a vulnerability like CVE-2026-35273 is exploited at this scale, the damage isn’t just technical—it’s reputational. Organizations that rely on Oracle’s enterprise software suite now face a stark choice: trust that Oracle will patch critical flaws in time, or invest heavily in compensating controls.

This isn’t the first time ShinyHunters has targeted enterprise software. In 2024, the group exploited a zero-day in Microsoft Exchange to deploy ransomware across 30 organizations. The pattern is clear: they hunt for high-impact vulnerabilities in widely deployed enterprise software, then weaponize them before vendors can respond. Oracle’s delayed mitigation—issued as a “stopgap” rather than a full patch—only exacerbates the problem.

Key Statistic: According to Mandiant’s analysis, ShinyHunters has been active for at least six months, with a 92% success rate in extracting data before victims detect the breach. The group’s tactics, techniques, and procedures (TTPs) suggest they’re not just opportunistic—they’re strategic, targeting organizations with weak patch management processes.

How a Simple SSRF Flaw Became a Gigabyte-Stealing Weapon

Server-side request forgery (SSRF) vulnerabilities are often dismissed as “nuisance” flaws—until they’re weaponized at scale. In this case, ShinyHunters chained CVE-2026-35273 with other misconfigurations in PeopleSoft to achieve internal network access. Here’s how it worked:

  • Initial Access: Attackers sent crafted HTTP requests to PeopleSoft’s exposed web interface, forcing the server to make unauthorized internal requests (e.g., to database servers, internal APIs, or even cloud storage buckets).
  • Lateral Movement: Once inside, the attackers used PeopleSoft’s built-in administrative privileges to pivot to other systems, including Active Directory and financial databases.
  • Data Exfiltration: Mandiant confirmed that victims received extortion demands with samples of stolen data, including HR records, payroll files, and student transcripts—all highly sensitive and valuable for blackmail.

The exploit’s effectiveness stems from PeopleSoft’s architecture. Unlike modern cloud-native applications, PeopleSoft runs on monolithic Java EE stacks with deep integration into legacy databases. This makes SSRF attacks particularly devastating—because once an attacker forces a request to an internal resource, they can often access data directly without further authentication.

Architectural Weakness: PeopleSoft’s reliance on Java EE’s `HttpURLConnection` for internal service calls creates a perfect storm for SSRF exploitation. Unlike modern frameworks (e.g., Spring Boot or Quarkus), Java EE’s default configurations often lack strict request validation, making it easier for attackers to craft malicious payloads.

Oracle’s “Stopgap” Isn’t a Patch—It’s a Bandage

Oracle’s initial response to CVE-2026-35273 was to release a stopgap mitigation rather than a full patch. This approach—common in enterprise software—is designed to buy time while vendors develop a comprehensive fix. But in this case, the delay has already cost victims.

The stopgap involves disabling specific PeopleSoft web service endpoints, but this is a blunt instrument. It breaks functionality for legitimate users while failing to address the root cause: the flawed request validation logic in PeopleSoft’s Java EE components. Worse, it doesn’t prevent attackers from using alternative SSRF vectors if they exist in other parts of the application.

Expert Reaction:

“Oracle’s stopgap is a classic example of ‘security theater.’ It makes administrators feel like they’ve done something, but it doesn’t actually fix the underlying vulnerability. For organizations running PeopleSoft, this means they’re still exposed unless they implement additional compensating controls—like network segmentation, strict firewall rules, and runtime application self-protection (RASP).”

David Kennedy, Founder of TrustedSec and former NSA cybersecurity analyst

Oracle has yet to confirm a full patch timeline, but sources close to the company suggest it may take until Q3 2026. In the meantime, ShinyHunters and other threat actors will continue to scan for unpatched systems. This creates a dangerous window where organizations must choose between disabling critical functionality (the stopgap) or remaining vulnerable.

Why This Attack Signals a Shift in Cybercrime Tactics

ShinyHunters’ targeting of PeopleSoft isn’t just about ransomware—it’s about data as leverage. Unlike traditional ransomware groups that encrypt files and demand payment, ShinyHunters is stealing sensitive data first, then using it to coerce victims into paying. This shift reflects a broader trend in cybercrime: attackers are prioritizing data exfiltration over encryption because stolen data is more valuable on the dark web.

According to a Mandiant report from last quarter, the average ransomware group now demands $1.2 million per victim, but the real profit comes from selling stolen data. In this case, ShinyHunters likely sold or leaked portions of the stolen data to maximize their revenue stream.

ShinyHunters SHOCK Oracle PeopleSoft With 9.8 Critical Vulnerability

The attack also highlights a growing problem: enterprise software vendors are becoming prime targets. Unlike consumer applications, enterprise software like PeopleSoft, SAP, and Microsoft Dynamics often runs on outdated tech stacks with deep integrations into critical systems. Patching these systems is slow, and when a zero-day is exploited, the damage is amplified.

Comparison: ShinyHunters’ tactics mirror those of state-sponsored actors like APT29 (Cozy Bear), who also prioritize data theft over disruption. The key difference? ShinyHunters operates for profit, not geopolitical gain. This makes their attacks more frequent—and more dangerous for businesses.

The 30-Second Verdict: How to Survive Until Oracle Patches

If you’re running PeopleSoft, here’s what you must do today:

  • Implement Network Segmentation: Isolate PeopleSoft servers from internal networks using micro-segmentation. This limits an attacker’s ability to move laterally even if they exploit the SSRF.
  • Deploy Runtime Application Self-Protection (RASP): Tools like Akamai’s Bot Manager or Imperva SecureSphere can detect and block malicious requests in real time.
  • Audit PeopleSoft Configurations: Disable unnecessary web service endpoints and enforce strict input validation for all HTTP requests.
  • Assume Compromise: If you’re a victim, assume your data is already stolen. Rotate all credentials, enable multi-factor authentication (MFA), and prepare for potential leaks.

For organizations not yet affected, the takeaway is clear: enterprise software vendors are moving too slowly. Until Oracle (and others) adopt CWE-476 (SSRF) mitigation frameworks as part of their SDLC, enterprises must treat every zero-day as an inevitability—and prepare accordingly.

What This Means for the Future of Enterprise Security

This attack isn’t just a warning—it’s a preview of the next decade of cybersecurity. As enterprise software becomes more complex and interconnected, the attack surface expands. Meanwhile, ransomware groups like ShinyHunters are getting better at exploiting these systems before vendors can respond.

The solution lies in shift-left security—baking security into the development process from the start. Oracle’s reliance on stopgap mitigations instead of proactive patching is a symptom of a larger problem: enterprise software is still treated as a “set it and forget it” product, rather than a dynamic, evolving system that requires continuous security updates.

Industry Precedent: This mirrors the 2021 Log4j crisis, where Apache’s delayed patch left millions of systems exposed. The difference? Log4j was open-source; PeopleSoft is proprietary. The lesson is the same: when vendors move slower than attackers, the cost is borne by customers.

For enterprises, this means two things:

  1. Demand Better: Push Oracle (and other vendors) to adopt NIST’s Secure Software Development Framework (SSDF), which includes mandatory vulnerability disclosure timelines and automated patch testing.
  2. Prepare for the Worst: Assume that every enterprise application has a zero-day waiting to be exploited. Invest in zero-trust architecture, continuous threat hunting, and automated incident response.

The PeopleSoft 0-day exploit isn’t just another breach—it’s a wake-up call. The era of “patch when we can” is over. Enterprises must treat security as a competitive advantage, not an afterthought.

Beyond the Bytes: Who Pays the Price?

While the focus is on data theft and ransom demands, the real victims are often the people whose information was stolen. HR records, payroll data, and student transcripts—these aren’t just “files” to attackers. They’re lives.

Consider a university using PeopleSoft to manage student records. If ShinyHunters exfiltrates social security numbers, grades, and medical histories, the fallout includes identity theft, blackmail, and reputational damage that lasts for years. The same goes for healthcare providers using PeopleSoft for patient management—HIPAA violations and lawsuits are inevitable.

This is why the cybersecurity industry’s focus on “dwell time” (how long an attacker stays undetected) is misplaced. The goal shouldn’t just be to reduce breach duration—it should be to prevent breaches entirely. Until enterprise software vendors treat security as a priority, the cost will continue to be paid in stolen data, extorted money, and shattered trust.

Canonical Source: For the original Mandiant analysis, see Google’s Threat Analysis.

Photo of author

Sophie Lin - Technology Editor

Sophie is a tech innovator and acclaimed tech writer recognized by the Online News Association. She translates the fast-paced world of technology, AI, and digital trends into compelling stories for readers of all backgrounds.

Orange County Supervisors Reject Grassroots Effort to Ban Herbicide Spraying in Creeks

From Couches to Chart Toppers How One Detroit Native Became a Hit Producer

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.