Critical Oracle PeopleSoft Zero-Day RCE Vulnerability Actively Exploited by ShinyHunters
FHN 
Cybersecurity researchers have identified an active exploitation campaign targeting Oracle PeopleSoft environments through a critical Remote Code Execution (RCE) vulnerability tracked as CVE-2026-35273. The flaw affects Oracle PeopleSoft PeopleTools and can be exploited remotely without authentication, making it a high-risk threat for organizations running vulnerable instances.
The attacks have been linked to the threat group ShinyHunters, which has reportedly targeted more than 100 organizations, with a significant concentration in the education sector. Researchers observed exploitation activity before Oracle publicly released its security advisory, classifying the vulnerability as a true zero-day.
Because Oracle PeopleSoft is widely used for managing human resources, payroll, finance, and other business-critical functions, successful exploitation could expose highly sensitive organizational data and provide attackers with deep access into enterprise environments.
Technical Breakdown of the Attack
The vulnerability resides within Oracle PeopleSoft PeopleTools, specifically affecting components exposed to the internet. Security researchers indicate that attackers can exploit the flaw without valid credentials, enabling remote execution of arbitrary commands on affected servers. The vulnerability carries a critical severity rating and may lead to full system compromise if left unmitigated.
Researchers also reported that threat actors leveraged the flaw against Environment Management Hub (PSEMHUB) endpoints. Following successful exploitation, attackers can deploy malicious tools, execute administrative commands, and establish persistent access within the targeted environment.
The Attack Chain Can Involve :
- Reconnaissance of internet-facing PeopleSoft servers.
- Identification of vulnerable PeopleTools instances.
- Exploitation of CVE-2026-35273 without authentication.
- Remote code execution on the application server.
- Deployment of web shells or remote management tools.
Multiple Other Methods Threat Actors May Use
While the zero-day vulnerability serves as the initial access vector, attackers frequently combine additional techniques to strengthen their foothold and increase operational success.
- Web shell deployment
- Credential theft
- Authentication bypass attacks
- Exploitation of legacy vulnerabilities
Modern threat actors rarely rely on a single attack technique. Instead, they combine multiple methods to gain deeper access, maintain persistence, evade security monitoring, and ultimately achieve objectives such as data theft, extortion, or ransomware deployment.
Why Enterprise Applications Remain a High-Value Target
Enterprise platforms such as Oracle PeopleSoft store some of an organization’s most valuable information, including employee records, financial data, payroll details, and operational information. Because these systems often integrate with multiple business applications, a single compromise can provide attackers with extensive visibility across the enterprise.
Threat actors increasingly target business-critical applications because successful exploitation can deliver immediate access to large volumes of sensitive data. In many environments, these platforms are internet-facing and may not receive the same level of security monitoring as endpoints, making them attractive targets for advanced threat groups.
Security Experts Recommend That Organizations
- Apply Oracle Mitigations Immediately
- Audit Internet-Facing PeopleSoft Systems
- Strengthen Access Controls
- Conduct Threat Hunting Activities
The active exploitation of CVE-2026-35273 demonstrates how rapidly threat actors can weaponize critical enterprise software vulnerabilities. With ShinyHunters reportedly targeting organizations through Oracle PeopleSoft environments, security teams should prioritize mitigation efforts, strengthen monitoring capabilities, and review exposure of internet-facing enterprise applications to reduce the risk of compromise.
About the Author
