Oracle Rushes to Patch Flaw Used in Data Thefts

Oracle has patched a critical zero-day flaw in its PeopleSoft software that was actively used by hackers to steal data.

Oracle has issued an emergency security update for a critical zero-day vulnerability in its PeopleSoft enterprise software. The flaw, identified as CVE-2026-35273, was discovered being actively exploited by a data theft group known as ShinyHunter. This vulnerability is particularly dangerous because it allows for unauthenticated remote code execution (RCE). In simple terms, an attacker can run malicious code on a company's server from anywhere, without needing any login credentials. The attackers were using this access to steal sensitive corporate data. Oracle's patch is a direct response to mitigate this immediate and ongoing threat.

The impact is significant due to the nature of both the software and the flaw. PeopleSoft is used by large organizations worldwide to manage core business functions like human resources, payroll, and finance. These systems store vast amounts of sensitive information, from employee personal data to critical financial records. An unauthenticated RCE vulnerability is one of the most severe security flaws, providing a direct entry point for attackers. Because it was a zero-day, organizations were defenseless until the patch was released, making any unpatched system an open target for data breaches and further network intrusion.

Given the active exploitation, Oracle is urging all customers using affected PeopleSoft products to apply the security patch immediately. The risk is not theoretical; it is a present danger with confirmed data theft incidents. IT and security teams should prioritize this update. Beyond patching, organizations should investigate their systems for any signs of compromise that may have occurred before the fix was installed, such as reviewing server logs for unusual activity. This incident is a stark reminder of the importance of vigilant patch management and having a prepared incident response plan for critical enterprise applications.

The vulnerability affects widely used enterprise software that stores sensitive HR and financial data, allowing attackers to steal information without needing a password. Active exploitation makes this an urgent threat.

Companies using unpatched Oracle PeopleSoft are at high risk of data breaches, which can lead to significant financial loss, regulatory fines, and reputational damage. Immediate patching is required to protect sensitive corporate and employee data.