PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data - Ars Technica Skip to content Ars Technica home Sections Forum Subscribe Search AI Biz & IT Cars Culture Gaming Health Policy Science Security Space Tech Feature Reviews AI Biz & IT Cars Culture Gaming Health Policy Science Security Space Tech Forum Subscribe Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only Β Β Learn more Pin to story Theme HyperLight Day & Night Dark System Search Sign In Sign in dialog... Sign in THE FALLOUT BEGINS PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data Vulnerability in the Oracle-owned PeopleSoft software is about as critical as they come. Dan Goodin β Jun 12, 2026 3:26 pm | 48 Credit: Mesut Dogan Credit: Mesut Dogan Text settings Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only Β Β Learn more Minimize to nav One of the worldβs most active ransomware groups exploited a critical vulnerability in Oracleβs PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said. The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle flagged it. CVE-2026-35273, as the vulnerability is tracked, carries a severity rating of 9.8 out of 10, making the former zero-day one of the yearβs most critical vulnerabilities to be exploited. Googleβs Mandiant security team said itβs an SSRF (server-side request forgery), a vulnerability that allows attackers to send requests from a susceptible server to systems used by the targeted organization.
Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands. 9.8 0-day exploited for 2 weeks The University of Nottingham confirmed on Wednesday that it was the victim of a hack that put a βsignificantβ amount of student data in the hands of a threat actor. The confirmation came after ShinyHunters claimed the university was one of its recent victims and published gigabytes of data it claimed to have stolen in the hack.
Source: https://arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/
Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands. 9.8 0-day exploited for 2 weeks The University of Nottingham confirmed on Wednesday that it was the victim of a hack that put a βsignificantβ amount of student data in the hands of a threat actor. The confirmation came after ShinyHunters claimed the university was one of its recent victims and published gigabytes of data it claimed to have stolen in the hack.
Source: https://arstechnica.com/security/2026/06/peoplesoft-0-day-affecting-hundreds-of-organizations-steals-gigabytes-of-data/