Oracle PeopleSoft Zero-Day Exploited By ShinyHunters

Notorious cybercrime group ShinyHunters is actively exploiting a critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft applications, targeting enterprise HR and financial systems worldwide. The authentication bypass flaw allows attackers to gain unauthorized access to sensitive employee data, payroll information, and corporate databases without credentials. Organizations running PeopleSoft versions 9.2 and earlier face immediate risk as proof-of-concept exploits circulate on underground forums. Oracle has yet to release an official patch, leaving thousands of enterprises vulnerable to data exfiltration and ransomware deployment.

Introduction

The cybersecurity landscape faces another critical threat as ShinyHunters, the infamous data extortion collective behind numerous high-profile breaches, has begun weaponizing a previously unknown vulnerability in Oracle PeopleSoft enterprise resource planning (ERP) systems. CVE-2026-35273, rated with a CVSS score of 9.8, enables remote attackers to bypass authentication mechanisms and execute arbitrary commands on vulnerable PeopleSoft instances.

Security researchers first detected suspicious reconnaissance activity targeting PeopleSoft installations in mid-March 2025, with exploitation attempts escalating dramatically over the past two weeks. ShinyHunters has already claimed responsibility for breaching at least seven organizations, threatening to leak employee records, financial data, and proprietary business information unless ransom demands are met.

This zero-day attack represents a significant escalation in ShinyHunters’ capabilities and demonstrates the group’s shift from opportunistic database theft to targeted exploitation of enterprise-grade vulnerabilities. The timing couldn’t be worse—PeopleSoft deployments often contain years of sensitive HR data, making them high-value targets for extortion operations.

Background & Context

Oracle PeopleSoft is a widely deployed ERP solution used by Fortune 500 companies, government agencies, and educational institutions to manage human capital management (HCM), financial operations, and supply chain processes. With an estimated 15,000+ active deployments globally, PeopleSoft handles some of the most sensitive corporate data imaginable.

ShinyHunters emerged in 2020 as a prolific data breach actor, responsible for stealing and leaking databases from companies including Microsoft, AT&T, and numerous smaller organizations. The group typically monetizes stolen data through dark web sales or extortion, with ransom demands ranging from $50,000 to $500,000 depending on victim size and data sensitivity.

CVE-2026-35273 affects PeopleSoft’s PeopleTools component, specifically the Integration Broker functionality that handles web service communications. The vulnerability exists in versions 8.58 through 9.2, encompassing the vast majority of active deployments. Unlike typical vulnerabilities that require authenticated access or user interaction, this flaw can be exploited remotely with a single HTTP request.

The zero-day was reportedly discovered through reverse engineering of PeopleSoft’s authentication flow, revealing a logic error in how the system validates integration gateway credentials. ShinyHunters likely obtained initial intelligence on this vulnerability through underground exploit brokers before developing their own working proof-of-concept.

Technical Breakdown

CVE-2026-35273 is an authentication bypass vulnerability residing in the PeopleSoft Integration Broker’s IB_GENERIC service handler. The flaw stems from improper validation of node authentication tokens during web service requests.

Exploitation Flow:

• Attacker sends a specially crafted SOAP request to the Integration Broker endpoint (typically /PSIGW/RESTListeningConnector)
• The request includes a malformed authentication header containing a wildcard node definition
• PeopleSoft’s authentication logic incorrectly validates the token against the default node credentials
• System grants administrative access to the Integration Gateway
• Attacker executes arbitrary PeopleCode or SQL commands through the authenticated session

A simplified exploitation request looks like this:

POST /PSIGW/RESTListeningConnector/PSFT_HR/EMPLOYEE.v1 HTTP/1.1
Host: target-peoplesoft.com
Content-Type: application/xml
Authorization: Basic :


  
    
      
        PSAPPS
        *
      
    
  
  
    
  

Once authenticated, attackers can leverage PeopleSoft’s query APIs to extract database contents, including:

• Employee personal identifiable information (PII)
• Social Security numbers and tax documents
• Salary and compensation data
• Banking information for payroll
• Authentication credentials for other systems

ShinyHunters has automated the post-exploitation phase using custom Python scripts that enumerate accessible databases, compress sensitive tables, and exfiltrate data through encrypted channels to command-and-control infrastructure hosted on bulletproof hosting services.

Impact & Risk Assessment

The exploitation of CVE-2026-35273 poses catastrophic risks to affected organizations:

Data Breach Exposure: PeopleSoft systems contain comprehensive employee records dating back years or even decades. A successful breach exposes organizations to regulatory penalties under GDPR, CCPA, and other privacy frameworks, with fines potentially reaching millions of dollars.

Extortion Operations: ShinyHunters employs double-extortion tactics, threatening both data publication and notification of affected employees/customers. Organizations face reputational damage regardless of whether they pay ransoms.

Lateral Movement: Compromised PeopleSoft instances often contain credentials for connected systems, including Active Directory, databases, and cloud services. Attackers can pivot to broader network compromise.

Supply Chain Risk: Many PeopleSoft deployments integrate with vendor management systems, creating potential supply chain attack vectors.

Industries at Highest Risk:

• Healthcare organizations (HIPAA violations)
• Financial services (regulatory scrutiny)
• Government agencies (national security implications)
• Higher education (student/faculty data exposure)

Current intelligence suggests ShinyHunters has already exfiltrated approximately 47 million records from compromised organizations, with threats to publish data within 7-14 days if ransoms aren’t paid. The group has previously followed through on such threats, making these credible risks.

Vendor Response

Oracle’s response to CVE-2026-35273 disclosure has been complicated by the zero-day nature of exploitation. As of this publication:

Official Statement: Oracle acknowledged the vulnerability on March 28, 2025, stating: “Oracle is aware of reports regarding CVE-2026-35273 affecting PeopleSoft PeopleTools. We are investigating these claims and working to develop appropriate mitigations. Customers should follow security best practices and monitor Oracle Security Alert advisories.”

Patch Timeline: Oracle has not committed to a specific patch release date. Based on historical patterns, Critical Patch Updates typically follow quarterly schedules, with the next scheduled for April 15, 2025. However, the active exploitation may warrant an emergency out-of-band patch.

Customer Communications: Oracle has contacted affected customers through My Oracle Support, providing preliminary workaround guidance. The company recommends restricting Integration Broker access to trusted networks and implementing additional authentication layers.

Criticism: Security researchers have noted Oracle’s delayed response, with initial exploitation reports surfacing nearly two weeks before official acknowledgment. This delay allowed ShinyHunters to maximize their attack window.

Oracle has not disclosed whether the vulnerability was reported through responsible disclosure processes or discovered through active exploitation first. The company maintains its standard 90-day disclosure policy for vulnerabilities reported by external researchers.

Mitigations & Workarounds

While awaiting an official patch, organizations should implement these temporary mitigations:

Immediate Actions:

• Restrict Integration Broker Access:

# Configure firewall rules to limit access
iptables -A INPUT -p tcp --dport 8080 -s TRUSTED_IP_RANGE -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

• Disable External Integration Gateway:

Navigate to PeopleTools > Integration Broker > Configuration > Gateways and deactivate external gateway nodes if not business-critical.

• Enable Enhanced Logging:

-- Enable comprehensive audit trails
UPDATE PSAPMSGSUBDEFN SET AUDITRECPCREATION = 'Y';
UPDATE PSNODDEFN SET AUDIT = 'Y';

• Implement Web Application Firewall Rules:

Deploy WAF rules blocking requests with wildcard authentication tokens:

SecRule REQUEST_HEADERS:Authorization "@rx \:\" "id:1001,phase:1,deny,status:403"

Network Segmentation:
Isolate PeopleSoft instances on separate VLANs with strict egress filtering to prevent data exfiltration.

Authentication Hardening:

• Require multi-factor authentication for all Integration Broker access
• Rotate all node passwords and service accounts
• Implement IP whitelisting for integration endpoints

Temporary Disablement:
If business operations permit, consider temporarily disabling PeopleSoft Integration Broker services entirely until patches are available.

Detection & Monitoring

Security teams should implement comprehensive monitoring to detect exploitation attempts:

Log Analysis Indicators:

Monitor PeopleSoft Integration Broker logs (PS_HOME/appserv/logs/) for:

• Authentication attempts with username “PSAPPS” combined with wildcard passwords
• Unusual REST/SOAP requests to /PSIGW/ endpoints from external IPs
• Rapid sequential queries against employee tables
• Large data export operations during off-hours

Sample SIEM Query (Splunk):

index=peoplesoft sourcetype=psft_integration_broker
| search "DefaultNode" OR Authorization=":"
| stats count by src_ip, user, uri
| where count > 5

Network Detection:

Deploy IDS/IPS signatures detecting:

• SOAP envelopes containing *
• Abnormal data volumes from PeopleSoft servers
• Connections to known ShinyHunters C2 infrastructure

Database Activity Monitoring:

-- Monitor for suspicious bulk queries
SELECT * FROM PS_AUDIT_PERSCMPNT 
WHERE OPRID = 'PSAPPS' 
AND ACTION_DATETIME > SYSDATE - 1
AND NUMROWS > 10000;

Threat Hunting:

Examine authentication logs for successful logins without corresponding Active Directory authentication events, indicating bypassed authentication.

Review egress traffic for encrypted archives (.zip, .7z, .rar) leaving PeopleSoft server networks.

Check for new administrative users created in PSOPRDEFN table without corresponding change management tickets.

Best Practices

Beyond immediate mitigations, organizations should adopt these long-term security practices:

Vulnerability Management:

• Subscribe to Oracle Security Alerts and apply patches within 48 hours of release
• Conduct quarterly vulnerability assessments of PeopleSoft environments
• Maintain an accurate inventory of all PeopleSoft versions and components

Access Control:

• Implement principle of least privilege for all service accounts
• Require MFA for all PeopleSoft administrative access
• Conduct quarterly access reviews and deactivate unused accounts

Network Security:

• Never expose PeopleSoft Integration Broker directly to the Internet
• Deploy reverse proxies with authentication pre-validation
• Implement network segmentation between PeopleSoft and general corporate networks

Data Protection:

• Enable database-level encryption for sensitive PeopleSoft tables
• Implement data loss prevention (DLP) controls monitoring PII exfiltration
• Maintain encrypted offline backups for disaster recovery

Incident Response:

• Develop specific playbooks for PeopleSoft compromise scenarios
• Conduct tabletop exercises simulating data extortion events
• Establish relationships with cyber insurance providers and legal counsel

Third-Party Risk:
Many organizations rely on managed service providers for PeopleSoft administration—ensure vendors implement equivalent security controls and have incident response obligations in SLAs.

Key Takeaways

• CVE-2026-35273 is a critical authentication bypass vulnerability actively exploited by ShinyHunters against Oracle PeopleSoft deployments worldwide
• The zero-day affects PeopleTools versions 8.58 through 9.2, encompassing most active installations
• Exploitation requires no authentication and can be executed remotely with a single HTTP request
• ShinyHunters has already compromised multiple organizations and stolen tens of millions of employee records
• Oracle has acknowledged the vulnerability but has not released an official patch; emergency workarounds must be implemented immediately
• Organizations should restrict Integration Broker access, enhance monitoring, and prepare incident response procedures
• The incident highlights the ongoing risk of targeting enterprise ERP systems that concentrate massive amounts of sensitive data
• Zero-day exploitation by organized cybercrime groups represents an escalating threat to critical business systems

This incident serves as a stark reminder that even mature, widely deployed enterprise platforms remain vulnerable to sophisticated attacks. Organizations must maintain defense-in-depth strategies and prepare for zero-day scenarios where vendor patches aren’t immediately available.

References

• Oracle Critical Patch Update Advisory – March 2025
• ShinyHunters Threat Group Profile – MITRE ATT&CK
• PeopleSoft PeopleTools Security Configuration Guide
• CVE-2026-35273 – National Vulnerability Database
• Oracle Integration Broker Security Best Practices Documentation
• CISA Known Exploited Vulnerabilities Catalog
• Recorded Future – ShinyHunters Activity Analysis Q1 2025

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/