One of many world’s most energetic ransomware teams exploited a essential vulnerability in Oracle’s PeopleSoft software program suite and used it to focus on about 100 clients and extort no less than one among them to pay up in alternate for not leaking stolen knowledge, researchers stated.
The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for greater than two weeks earlier than Oracle flagged it. CVE-2026-35273, because the vulnerability is tracked, carries a severity score of 9.8 out of 10, making the previous zero-day one of many 12 months’s most important vulnerabilities to be exploited.
Google’s Mandiant safety group stated it’s an SSRF (server-side request forgery), a vulnerability that enables attackers to ship requests from a prone server to programs utilized by the focused group. Oracle stated the SSRF is remotely exploitable, and the corporate has issued a stopgap mitigation however has but to totally patch the flaw. Google has confirmed that victims are receiving extortion calls for.
