ON June 10, 2026, Oracle announced a critical security vulnerability (CVE-2026-35273) affecting PeopleSoft Enterprise PeopleTools. The vulnerability, which could allow remote code execution without authentication, has a CVSS score of 9.8. Active exploitation was detected in the wild prior to the public disclosure, impacting mainly the higher education sector.
The attack was attributed to a financially motivated group, ShinyHunters, which successfully exploited the flaw using techniques such as server-side request forgery. Organizations using affected versions are strongly advised to apply the emergency patch and consider additional protective measures such as disabling specific services and monitoring traffic.