PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data
Summary
Ars Technica reports a critical zero-day in Oracle PeopleSoft, CVE-2026-35273, exploited by the ShinyHunters ransomware group to target about 100 organizations and steal gigabytes of data. The flaw is a remotely exploitable SSRF with a 9.8/10 severity; attackers mapped configurations, exfiltrated data via a staging server, and extorted victims. Security researchers from Mandiant and Rapid7 provide indicators of compromise and immediate remediation guidance for affected customers.