A server‑side request forgery in Oracle’s PeopleSoft suite (CVE‑2026‑35273) has been weaponized by the ransomware group ShinyHunters, which reportedly targeted roughly 100 customers and extorted at least one of them to avoid public data leaks.
The vulnerability, rated 9.8 out of 10 for severity, lets attackers send requests from a compromised PeopleSoft server to internal systems, effectively bypassing network controls. ShinyHunters is believed to have been exploiting the flaw for more than two weeks before Oracle publicly flagged the issue, and the company has issued a stopgap mitigation while a full patch is still pending.
Google’s Mandiant team confirmed that victims are receiving extortion demands linked to the breach. The incident underscores the urgency for organizations running PeopleSoft to apply Oracle’s interim mitigation, monitor for suspicious activity, and prepare for forthcoming patches.
