Active Exploitation of Oracle PeopleSoft SSRF Zero-Day

The Oracle PeopleSoft SSRF zero-day vulnerability, CVE-2026-35273, has moved beyond theory into active exploitation. For more than two weeks, the ransomware group ShinyHunters has leveraged this flaw to breach internal networks of nearly a hundred organizations, mostly universities. The attack exploits server-side request forgery to bypass perimeter defenses, turning exposed PeopleSoft servers into launchpads for internal intrusions. The University of Nottingham confirmed a breach involving gigabytes of student data stolen. This is no minor incident; the scale and sector targeted point to a deliberate campaign harvesting valuable personal information. Oracle’s response remains limited to temporary mitigations, with no full patch available yet. A shrinking window for damage control demands urgent action from affected entities.

Scope of Impact and Data Theft Details

CVE-2026-35273 exploits a deep SSRF vulnerability in Oracle PeopleSoft, enabling attackers to coerce compromised servers into unauthorized internal requests. ShinyHunters have used this to siphon data silently from roughly 100 organizations over at least two weeks. The majority are higher education institutions juggling complex legacy systems with sensitive personal data. This SSRF flaw bypasses perimeter defenses, granting direct access to internal databases and APIs that should remain isolated. The University of Nottingham’s public breach confirmation, involving student records, provides a rare glimpse into the incident’s scale. Other affected organizations remain silent, but the widespread nature suggests systemic exposure rather than isolated cases. Oracle’s temporary mitigations focus on configuration tweaks and network restrictions but do not fully block exploitation. Without a comprehensive patch, affected organizations remain vulnerable. The stealthy SSRF exploitation complicates detection, raising the possibility of undetected breaches and lateral movement within networks. This incident exposes a critical weakness in a widely deployed enterprise application, demanding swift, informed responses.

Risks from ShinyHunters’ Exploitation Tactics

ShinyHunters’ exploitation tactics illustrate a threat landscape resistant to one-size-fits-all defenses. The SSRF vulnerability lets attackers pivot internally, but the attack vector varies by each organization’s infrastructure. Temporary mitigations may block attacks in one environment but fail or degrade operations in another. Oracle’s stopgap measures often involve configuration changes that risk disrupting legitimate processes or system performance, forcing organizations to balance security against functionality. Without a full patch, attackers can refine their methods, potentially escalating intrusion severity or scope. Data exfiltration patterns remain uncertain. Gigabytes of data have been stolen, but SSRF’s facilitation of lateral movement and privilege escalation means initial breaches could be footholds for deeper, stealthier incursions. While higher education is the primary target so far, PeopleSoft’s broad deployment means other sectors may harbor latent vulnerabilities. ShinyHunters’ adaptive tactics underscore the need for vigilance across industries.

Steps Organizations Should Prioritize Now

Organizations running Oracle PeopleSoft face an urgent challenge. The SSRF flaw bypasses perimeter defenses by exploiting trusted internal network access, rendering traditional firewall rules insufficient. Immediate application of Oracle’s temporary mitigations—often configuration changes restricting vulnerable request handling—is essential. However, these are stopgaps, not fixes. Until a full patch arrives, administrators must monitor logs for unusual internal requests and data exfiltration attempts. Network segmentation can help isolate PeopleSoft servers from sensitive resources, limiting potential damage. Given the demonstrated data theft scale, thorough audits to identify exposed records and assess compliance risks are critical. Preparing notification plans is necessary to meet regulatory obligations. Waiting passively risks prolonged exposure and penalties. This incident highlights the need for SSRF-specific detection in security tools. Traditional intrusion detection often misses subtle internal pivots. Enhancing visibility into internal HTTP requests and enforcing strict input validation on web applications can reduce attack surfaces for future zero-days. The priority: implement Oracle’s mitigations now, increase monitoring, isolate critical assets, and prepare incident response. The breach window is narrow; delay only widens the fallout.
Ссылка на первоисточник
Ethan Clarke
Article author
Ethan Clarke
Technical Engineer | Innovating Practical Solutions

Ethan is a 25-year-old technical engineer passionate about bridging complex technology with everyday applications. He writes clear, insightful pieces that demystify engineering challenges and highlight emerging tech trends.

More articles by the author
SpaceX: Five key moments, from first launch to Starship megarocket
Science & Tech 210

SpaceX: Milestones and Industry Impact

SpaceX’s journey has evolved from early launch failures to groundbreaking achievements like reusable rockets and ISS docking. The Starship…

3 min read Read