Oracle warns of CVE-2026-35273: ShinyHunters exploited a PeopleSoft zero-day to breach 100+ firms

Oracle warned customers on Thursday of a critical PeopleSoft vulnerability that hackers have already used to breach more than 100 organizations. The issue is CVE-2026-35273, and Oracle’s advisory is blunt: the flaw has a CVSS score of 9.8, it can be exploited over the internet without any authentication, and Oracle has not released a patch.

For executives, this is one of those rare security advisories that turns uncertainty into urgency. “Not patched” is the uncomfortable part, but “internet-accessible without authentication” is the accelerant. When a vulnerability works remotely with no login and has a 9.8 severity rating, the attack surface is no longer limited to employees, vendors, or internal access paths. It becomes an externally reachable door.

So what does Oracle’s warning actually imply about the operational reality inside target companies? It means the usual timeline security teams rely on, patch then contain, is out of sync. In many incidents, there’s at least a window for hardening, access control tightening, and monitoring before attackers get reliable exploitation paths. Here, the exploitation has already happened, and the scale matters: more than 100 organizations breached. That suggests attackers either built the exploit quickly after discovering it, or they had it staged already and moved when it became usable. Either way, defenders are reacting while the threat is actively demonstrating impact.

The group at the center of this story is ShinyHunters, cited in the original reporting as having breached 100+ companies through an unpatched Oracle PeopleSoft zero-day. A “zero-day” matters in plain English because it means defenders do not have a vendor patch to deploy yet. Without a patch, remediation tends to shift from “fix the software” to “limit the exposure.” That usually requires compensating controls like network segmentation, strict access policies, intrusion detection tuning, and careful review of whether the affected component is publicly reachable. When exploitation is possible over the internet and without authentication, “we don’t think it’s reachable” becomes an assumption that teams must validate, quickly.

There is also a governance and risk communication angle that boards will care about immediately. Oracle’s advisory came on Thursday, and the original report notes it arrived a day after another development, though the excerpt cuts off. The key point for decision-makers is that this advisory is not an abstract CVE entry. It is a vendor acknowledging real-world exploitation and stating that a patch is not yet available. That changes how security and risk teams should brief stakeholders: the question is not “Will we be affected?” It’s “How fast can we reduce likelihood and detect attempts, given a known, currently unpatched weakness that is remotely exploitable?”

Regulatory expectations around incident preparedness and vulnerability management generally converge on something similar: organizations are expected to have reasonable controls for known critical vulnerabilities, even when patches are pending. While the source does not spell out any specific regulator, the environment is clear enough. For many industries, failing to take a high-severity, actively exploited external vulnerability seriously can become a compliance and liability issue, not just a technical one. And for companies handling sensitive HR, financial, and enterprise workflow data in PeopleSoft environments, the stakes are bigger than downtime. PeopleSoft is often mission critical, and breaches can cascade into credential exposure, data loss, and operational disruption.

Second-order implications flow directly from the characteristics Oracle highlighted. A CVSS 9.8 rating signals extreme severity, but the exploitable mechanics are what turn it into a board-level event: no authentication is required. That means basic perimeter controls and obscurity do not reliably protect against exploitation attempts. It also implies attackers can scale scanning and intrusion attempts across the internet quickly, without needing harvested credentials. In practical terms, this can increase the volume of alerts and make it harder for teams to distinguish between benign probing and successful exploitation.

For peers watching this, the strategic takeaway is uncomfortable but actionable: when a vendor says a zero-day is already being exploited at scale and provides no patch yet, the response shifts from patch planning to exposure reduction and detection hardening immediately. Oracle’s advisory on CVE-2026-35273 is a clear warning that the gap between “known risk” and “available fix” is currently large. Companies that treat that gap as normal will get punished. Companies that treat it as an emergency, coordinate quickly, and validate external reachability, can still reduce harm while they wait for the patch.