Attackers have begun exploiting a critical flaw in Oracle E-Business Suite, the financial and operations platform used by large enterprises, threat intelligence firm Defused reports. The bug (CVE-2026-46817), rated 9.8, sits in the File Transmission component of Oracle Payments and lets an unauthenticated attacker with HTTP access take over the system through a low-complexity attack. Oracle patched it in its May 2026 update, but exploitation began over the weekend despite no public proof-of-concept existing, meaning attackers built their own. Observed payloads attempt to read sensitive system files. Shadowserver tracks more than 450 EBS instances exposed online, many in North America and Asia, with unknown numbers still unpatched.
Nissan has disclosed that current and former employees' data was stolen after attackers exploited a zero-day flaw in Oracle PeopleSoft, the software it uses to manage payroll, tax, and personnel records. In a filing with California's attorney general, Nissan said Oracle informed it that the personnel records of hundreds of companies may have been taken. The attacks, tied to the extortion group ShinyHunters, exploited PeopleSoft vulnerability CVE-2026-35273 as a zero-day between late May and early June, primarily hitting education organizations, before Oracle issued mitigations. ShinyHunters has begun leaking stolen data, with Nissan joining victims that include the University of Nottingham and a US insurance regulator group.
The ShinyHunters data-theft wave against Oracle PeopleSoft, covered yesterday, now has a confirmed root cause: a zero-day. Oracle has issued an out-of-band emergency mitigation for CVE-2026-35273, a critical flaw (rated 9.8) in PeopleSoft PeopleTools that lets an unauthenticated attacker run code on the server over HTTP, with no login required. Google's Mandiant says the bug was exploited from May 27 to June 9, before any advisory existed, and notified more than 100 affected organizations, 68 percent of them universities. The exposed component is the Environment Management Hub. Affected versions are PeopleTools 8.61 and 8.62; a full patch is still pending.
The extortion group ShinyHunters is running a wave of data-theft attacks against organizations using Oracle PeopleSoft, the enterprise software that large institutions rely on for HR, payroll, finance, and student records. Both cloud and on-premises instances are affected, and the gang claims data from more than 100 organizations. Attackers typically log in with stolen employee credentials, move through the PeopleSoft environment, and exfiltrate large datasets before demanding a Bitcoin ransom. A confirmed victim is the University of Nottingham, where a breach of an Oracle student-records system exposed 454,635 accounts. Researchers have shared attacker IP addresses and noted the use of MeshCentral remote-access agents.
Oracle broke its quarterly patch cycle to push an emergency fix for CVE-2026-21992 - a CVSS 9.8 pre-auth RCE in Oracle Identity Manager and Web Services Manager. An unauthenticated attacker with network access over HTTP can take over the entire identity management system. Oracle won't say if it's been exploited, but a nearly identical flaw in the same product (CVE-2025-61757) was added to CISA's KEV catalog just four months ago.