Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters

Google has confirmed that a PeopleSoft vulnerability mitigated by Oracle this week has been exploited by ShinyHunters as a zero-day to steal data from organizations.

Oracle has released an out-of-band advisory and security alert for CVE-2026-35273, a critical unauthenticated remote code execution vulnerability impacting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as PeopleSoft Enterprise Applications.

The software giant has released mitigations, but patches do not appear to be available.

PeopleSoft is an ERP software suite used by many large organizations to manage a wide range of business functions, including HR, payroll, finance, supply chain, and campus operations.

While the solution is used across many industries, the ShinyHunters campaign exploiting CVE-2026-35273 appears to have focused on the education sector. The University of Nottingham in the UK is the first confirmed victim.