PeopleSoft Zero-Day: What the Critical SSRF Flaw Means for Enterprises and Higher Ed

A critical zero-day vulnerability in Oracle’s PeopleSoft enterprise suite is being actively exploited by the ShinyHunters ransomware group, with hundreds of organizations already targeted and at least one confirmed victim paying extortion demands. The flaw, tracked as CVE-2026-35273 with a severity score of 9.8 out of 10, is a server-side request forgery (SSRF) that allows attackers to send unauthorized requests from a compromised PeopleSoft server to internal systems. Oracle has acknowledged the issue and issued a stopgap mitigation, but a full patch has not yet been released. The implications are severe: sensitive data exposure, potential lateral movement within enterprise networks, and the immediate risk of data theft and extortion.

How the PeopleSoft SSRF Flaw Works and Why It’s So Dangerous

CVE-2026-35273 is a server-side request forgery (SSRF) vulnerability in Oracle PeopleSoft, enabling attackers to craft malicious requests that originate from a trusted PeopleSoft server. Because PeopleSoft often integrates with internal databases, identity systems, and third-party services, an SSRF flaw can act as a gateway to internal networks. Attackers abuse this to probe internal services, harvest credentials, or exfiltrate data—all while appearing to come from a legitimate internal source. The 9.8 CVSS score reflects the combination of low attack complexity, no user interaction requirement, and the potential for full system compromise.

Security researchers at Google’s Mandiant observed ShinyHunters exploiting this flaw since May 27, over two weeks before public disclosure. The group targeted approximately 300 endpoints across roughly 100 organizations, with 68% of those organizations operating in higher education. This targeting pattern suggests that attackers are prioritizing sectors with large datasets of personal and sensitive information, where the impact of data exposure is amplified. The University of Nottingham confirmed it was breached, with a “significant” amount of student data stolen and later published by ShinyHunters after an extortion demand was reportedly ignored.

The Extortion Playbook: Data Theft, Leak Sites, and Ransom Demands

ShinyHunters is following a well-documented extortion model: steal sensitive data, issue a ransom demand, and threaten to publish stolen files on a leak site if payment is not made. In this case, the group claimed responsibility for breaching the University of Nottingham and published gigabytes of allegedly stolen data after the institution did not comply. This approach bypasses traditional encryption-focused ransomware, instead focusing on data exfiltration and reputational harm as leverage.

The group’s activity highlights a broader trend in cybercrime: the weaponization of data theft over system encryption. For organizations like universities, which hold vast amounts of personal and academic data, the risk isn’t just operational disruption—it’s the exposure of student records, research data, and financial information. The extortion model also lowers the barrier to entry for attackers, as they don’t need to encrypt systems to extract value; they only need to steal and threaten to leak.

Oracle’s Response: Stopgap Mitigation, No Full Patch Yet

Oracle has acknowledged the vulnerability and issued a stopgap mitigation to reduce exposure, but has not yet released a full patch. This leaves organizations in a precarious position: they must apply mitigations immediately while awaiting a permanent fix. The delay in patching is particularly concerning given the active exploitation timeline and the high severity of the flaw.

Enterprises using PeopleSoft should treat this as an active incident response scenario. The stopgap mitigation likely involves restricting outbound requests from PeopleSoft servers or tightening network segmentation to limit the blast radius of any SSRF exploitation. However, without a patch, organizations remain vulnerable to bypasses or misconfigurations that could re-enable the attack vector. This situation underscores the importance of rapid patch management and the risks of relying on enterprise software with delayed security updates.

Who Is at Risk? Higher Education and Large Enterprises in the Crosshairs

Mandiant’s analysis shows that 68% of targeted organizations are in higher education, where PeopleSoft is commonly used for student information systems (SIS), human resources, and financial aid management. These systems often contain highly sensitive personal data, including Social Security numbers, financial aid details, and academic records. The targeting of such institutions suggests that attackers are prioritizing data richness over industry verticals.

Beyond higher education, large enterprises using PeopleSoft for ERP, supply chain management, or CRM integrations are also at risk. Any organization that exposes PeopleSoft interfaces to the internet—whether for mobile access, self-service portals, or API integrations—could be vulnerable. The SSRF flaw’s remote exploitability means attackers don’t need internal access to launch an attack; a single exposed endpoint can serve as the entry point.

Practical Steps to Reduce Exposure While Awaiting a Patch

Organizations should immediately implement network segmentation to isolate PeopleSoft servers from internal systems. This limits the ability of an attacker to move laterally even if they exploit the SSRF flaw. Additionally, review all outbound firewall rules and disable unnecessary internet-bound requests from PeopleSoft servers. These steps can reduce the attack surface while Oracle develops a permanent fix.

Another critical step is to audit all PeopleSoft integrations and APIs. Disable any unnecessary external-facing endpoints and enforce strict authentication and authorization policies. If PeopleSoft must be exposed to the internet, consider deploying a web application firewall (WAF) with rules tailored to block SSRF patterns, such as requests to internal IP ranges or sensitive internal hostnames. Monitoring for unusual outbound traffic from PeopleSoft servers can also help detect exploitation attempts early.

Detection and Monitoring: Hunting for SSRF Activity in PeopleSoft

Detecting SSRF exploitation in PeopleSoft requires monitoring outbound HTTP/HTTPS traffic originating from PeopleSoft servers. Security teams should look for anomalies such as requests to internal IP addresses, unusual user-agent strings, or traffic patterns inconsistent with normal application behavior. Logs from PeopleSoft application servers, web servers, and network devices should be correlated to identify potential exploitation.

Mandiant’s findings suggest that attackers may be probing internal services for additional vulnerabilities after gaining a foothold via SSRF. Organizations should therefore expand threat hunting efforts to include lateral movement detection, unusual database queries, and authentication attempts from unexpected sources. Implementing endpoint detection and response (EDR) on systems adjacent to PeopleSoft can help identify suspicious activity early.

The Broader Implications: SSRF in Enterprise Software and Supply Chain Risk

This incident highlights a systemic risk in enterprise software: the prevalence of SSRF flaws in large, integrated platforms like PeopleSoft. SSRF vulnerabilities are often overlooked because they don’t fit the mold of traditional injection or buffer overflow flaws, yet they can provide attackers with a powerful foothold in enterprise environments. The fact that a ransomware group is actively exploiting such a flaw underscores the need for better security practices in enterprise software development.

It also raises questions about supply chain risk. PeopleSoft is widely used across industries, and a single vulnerability can have cascading effects on hundreds of organizations. This underscores the importance of third-party risk assessments and continuous monitoring of enterprise software for new vulnerabilities. Organizations should not assume that widely deployed software is inherently secure, especially when zero-days are involved.

What to Watch Next: Patch Timeline, Regulatory Scrutiny, and Attacker Evolution

The most immediate concern is Oracle’s patch release timeline. Given the active exploitation and high severity, a patch is likely imminent, but the delay so far suggests potential challenges in remediation. Organizations should prepare for rapid patch deployment once it becomes available, including regression testing and phased rollouts to minimize operational disruption.

Regulatory scrutiny is also likely to increase, particularly for higher education institutions and organizations handling sensitive personal data. Breach notifications and potential fines under data protection regulations may follow, especially if organizations are found to have delayed patching or inadequate mitigations. The University of Nottingham’s public confirmation of the breach may prompt similar disclosures from other affected institutions.

Finally, security teams should monitor for evolving tactics from ShinyHunters and other groups. The SSRF-to-extortion playbook may inspire copycat attacks against other enterprise software platforms with similar integration models. Proactive threat intelligence sharing and rapid incident response capabilities will be critical in mitigating future risks.

Bottom Line: Treat This as an Active Incident, Not Just a Vulnerability

The PeopleSoft SSRF zero-day is not just another vulnerability—it’s an active, high-impact threat with confirmed exploitation and extortion activity. Organizations using PeopleSoft must act immediately to apply mitigations, segment their networks, and monitor for suspicious activity. While awaiting Oracle’s patch, assume breach conditions and prioritize protecting sensitive data and internal systems.

For higher education and large enterprises, this incident is a wake-up call about the risks of relying on complex, integrated enterprise software without robust security controls. The combination of a critical zero-day, active exploitation, and a sophisticated extortion group creates a perfect storm. The time to act is now—before the next wave of attacks exploits the same gap in your defenses.