If you or your company uses Oracle’s PeopleSoft software, then you might want to take note of a recent security advisory published by the company. According to Oracle, they’re warning of a security bug affecting their PeopleSoft software after the hacking group ShinyHunters took credit for abusing the flaw.
Oracle warns of security bug
Oracle publicly disclosed a security bug in their PeopleSoft software. For those who don’t use the software, PeopleSoft is used by companies to help manage payroll and human resources. However, it seems that the hacking group ShinyHunters has abused a security bug affecting the software. This allowed them to breach more than 100 organizations that use the PeopleSoft servers.
Oracle says, “This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.”
As you can tell, it is quite a serious bug, as it does not require authentication. It also turns out it’s not exactly a new bug either. Google security unit Mandiant also warned in its blog post that this flaw is the same bug ShinyHunters used in its hacking campaign targeting PeopleSoft customers.
What is the company doing about it?
Oracle has released emergency mitigations to address the vulnerability, but a full patch is still in development. In the meantime, Mandiant says that some companies were successful in blocking the activity. Others weren’t so fortunate, resulting in their data being stolen and published on ShinyHunters’ website.
The hacking group ShinyHunters has been around for a while and has been making a name for itself. The group has been involved in a series of high-profile hacks, including Rockstar, Vimeo, and more. They had also targeted Salesforce back in 2025 in a group hack with Lapsus$ and Scattered Spider. They then used the data to pressure victims into paying up to prevent exposure of sensitive data.
The post Hackers Exploited a Critical Oracle Zero-Day to Breach Over 100 Companies appeared first on Android Headlines.
