Oracle has patched a critical vulnerability in PeopleSoft Suite (CVE-2026-35273) enabling unauthenticated remote code execution that is already being actively exploited in targeted data theft campaigns by the ShinyHunter group.
The CVE-2026-35273 vulnerability in PeopleSoft Suite allows attackers without prior authentication to execute arbitrary code on affected systems. Oracle has rated the flaw as critical and has provided corresponding patches.
Security researchers are already documenting active exploits by the data theft group ShinyHunter. They are exploiting the vulnerability deliberately to penetrate production environments and exfiltrate data. The absence of authentication requirements significantly lowers the barrier to entry and makes the vulnerability a priority threat for all organizations running PeopleSoft deployments.
CISOs should immediately prioritize patches on affected systems and examine existing PeopleSoft installations for indicators of active compromise. The combination of critical severity and already ongoing exploits requires accelerated patch management procedures.
Oracle patches a critical PeopleSoft flaw (CVE-2026-35273) with unauthenticated RCE that is already being actively exploited in data theft attacks.
Source: www.bleepingcomputer.com · Published 11 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.