ShinyHunters exploited PeopleSoft 0-day CVE-2026-35273, targeting ~100 organizations and extorting victims

A ransomware group known as ShinyHunters exploited a critical zero-day in Oracle-owned PeopleSoft software, targeting about 100 customers and extorting at least one of them to prevent leaked stolen data, researchers said. The vulnerability is tracked as CVE-2026-35273 and carries a severity rating of 9.8 out of 10, with Google’s Mandiant team confirming the attack hinges on an SSRF (server-side request forgery) flaw.

Here is what makes this an executive-level headache. The group had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle flagged it, and the SSRF is remotely exploitable, meaning attackers could act without needing hands-on access inside the victim network. Mandiant also confirmed that victims are receiving extortion demands, so this is not just a data theft incident. It is an active criminal negotiation happening in parallel with ongoing compromise.

To understand why SSRF matters, think of it as a server being tricked into reaching out where it should not. In plain English, an attacker leverages an exposed application or service so that the server makes requests to systems the targeted organization should be protecting. Google characterized the PeopleSoft issue this way, and Oracle said the SSRF is remotely exploitable. For organizations running PeopleSoft, that combination is especially nasty because enterprise ERP and HR platforms tend to sit at the center of operations, data flows, and privileged integrations.

Oracle’s response, according to the source, includes a stopgap mitigation but not a complete patch yet. That detail should land hard with CIOs, CISO teams, and anyone who spends time translating security advisories into operational risk. Stopgaps can reduce exposure, but if the fully patched fix is not in place, attackers that already have a workable exploit path tend to keep going. That is consistent with what researchers reported about timing: ShinyHunters exploited the flaw for more than two weeks before Oracle flagged it.

The threat actor being “one of the world’s most active ransomware groups” matters for a simple reason: ransomware groups optimize for repeatability. Once they find a reliable access method in widely used enterprise software, they can scale pressure across many targets quickly. Researchers said the group used the vulnerability to target about 100 customers and steal data described in the article as gigabytes. At least one victim was extorted to pay up in exchange for not leaking stolen data. In ransomware terms, this is the conversion of technical access into a business model.

There is also a governance and reporting dimension here. When an organization runs critical business systems like PeopleSoft, directors usually expect controls around vulnerability management, detection, and incident response. But the source points to a gap between exploitation in the wild and the moment the vendor flagged it. That gap is exactly where boards start asking uncomfortable questions: How quickly were we exposed? Did our monitoring catch the early signals? Could a stopgap have been applied faster? Even when the organization is not at fault, the incident will force a clearer explanation of risk posture to regulators, auditors, and internal stakeholders.

Regulators and compliance teams also care because extortion that follows data theft can trigger disclosure obligations. Even without naming specific legal regimes in the source, the direction is clear: stolen data plus extortion creates a compliance timeline problem, not just a technical one. Victims are already receiving extortion demands, according to Google’s Mandiant security team, which typically compresses decision-making and can raise the stakes for legal counsel, communications leaders, and executive teams coordinating with law enforcement.

The second-order implication for other enterprises is that this is not limited to PeopleSoft owners who are “big enough to matter.” The reporting describes targeting around 100 customers, which implies a level of scanning and selection that could map directly onto any organization with the affected configuration. Also, a remotely exploitable SSRF means perimeter controls alone may not help. If the vulnerable service is reachable and the application logic can be abused, attackers can often stay within the logic of the platform.

For executives at companies that rely on Oracle software, this incident is a warning about speed. The vulnerability was already being exploited in the wild before Oracle flagged it, Oracle has issued mitigation but not fully patched the flaw yet, and Google has confirmed extortion demands are landing on victims. In the next review cycle, boards will likely want crisp answers on patch timelines, compensating controls, detection coverage for SSRF-style activity, and readiness for extortion-driven incidents where time matters as much as containment.