Security researchers have raised the alarm after ShinyHunters, a suspected threat actor group, exploited a critical unpatched vulnerability in Oracle PeopleSoft software to breach over 100 organizations. The flaw, identified as CVE-2026-35273, has a CVSS score of 9.8—indicating a severe risk—and allows attackers to gain unauthorized access without requiring any authentication.
Widespread Impact Across Industries
The vulnerability affects Oracle PeopleSoft, a widely used enterprise resource planning (ERP) platform that many organizations rely on for core business operations. According to Oracle’s advisory, the flaw is exploitable over the internet, making it particularly dangerous for companies that haven’t yet applied any mitigations. Despite the severity, Oracle has not yet released a patch, leaving organizations vulnerable and forcing them to seek immediate workarounds.
Implications for Enterprise Security
This breach highlights the growing risks associated with legacy software systems, especially when critical vulnerabilities are left unaddressed. Organizations using PeopleSoft are urged to conduct immediate assessments of their systems and implement network segmentation or other protective measures to reduce exposure. ShinyHunters is believed to be a financially motivated group with ties to other known cybercriminal actors, raising concerns about the potential for further exploitation and data theft.
The incident underscores the importance of proactive vulnerability management and the need for timely patching. As enterprises continue to rely on complex software ecosystems, the consequences of unpatched zero-days can be devastating, particularly in sectors such as finance, healthcare, and government, where data integrity and security are paramount.
