Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: oracle (5 articles)Clear

Critical Oracle E-Business Suite flaw now exploited for unauthenticated takeover

Attackers have begun exploiting a critical flaw in Oracle E-Business Suite, the financial and operations platform used by large enterprises, threat intelligence firm Defused reports. The bug (CVE-2026-46817), rated 9.8, sits in the File Transmission component of Oracle Payments and lets an unauthenticated attacker with HTTP access take over the system through a low-complexity attack. Oracle patched it in its May 2026 update, but exploitation began over the weekend despite no public proof-of-concept existing, meaning attackers built their own. Observed payloads attempt to read sensitive system files. Shadowserver tracks more than 450 EBS instances exposed online, many in North America and Asia, with unknown numbers still unpatched.

Check
Identify internet-facing Oracle E-Business Suite instances, confirm whether the May 2026 Critical Patch Update is applied, and review logs for suspicious requests to the Payments component and unexpected system-file access.
Affected
Oracle E-Business Suite versions 12.2.3 through 12.2.15 with the Payments component reachable over HTTP (CVE-2026-46817); unauthenticated attackers can fully compromise the system, and a private exploit is already in use.
Fix
Apply Oracle's May 2026 Critical Patch Update immediately, restrict EBS access to trusted networks, and run a compromise assessment if patching was delayed, since exploitation is underway without public exploit code.

Nissan employee data stolen through Oracle PeopleSoft zero-day attacks

Nissan has disclosed that current and former employees' data was stolen after attackers exploited a zero-day flaw in Oracle PeopleSoft, the software it uses to manage payroll, tax, and personnel records. In a filing with California's attorney general, Nissan said Oracle informed it that the personnel records of hundreds of companies may have been taken. The attacks, tied to the extortion group ShinyHunters, exploited PeopleSoft vulnerability CVE-2026-35273 as a zero-day between late May and early June, primarily hitting education organizations, before Oracle issued mitigations. ShinyHunters has begun leaking stolen data, with Nissan joining victims that include the University of Nottingham and a US insurance regulator group.

Check
Organizations using Oracle PeopleSoft should confirm the CVE-2026-35273 mitigations are applied and review access logs from late May through early June for signs of the data-theft activity Mandiant documented.
Affected
Nissan's current and former employees whose payroll and personnel records were exposed, and the hundreds of other PeopleSoft-using organizations Oracle says were caught in the same ShinyHunters zero-day campaign (CVE-2026-35273).
Fix
Apply Oracle's PeopleSoft mitigations, rotate exposed credentials, and offer affected employees identity protection. Affected individuals should watch for phishing and fraud using stolen payroll and personnel data, including tax-related identity theft.

Oracle issues emergency PeopleSoft fix as exploited zero-day drives breaches

The ShinyHunters data-theft wave against Oracle PeopleSoft, covered yesterday, now has a confirmed root cause: a zero-day. Oracle has issued an out-of-band emergency mitigation for CVE-2026-35273, a critical flaw (rated 9.8) in PeopleSoft PeopleTools that lets an unauthenticated attacker run code on the server over HTTP, with no login required. Google's Mandiant says the bug was exploited from May 27 to June 9, before any advisory existed, and notified more than 100 affected organizations, 68 percent of them universities. The exposed component is the Environment Management Hub. Affected versions are PeopleTools 8.61 and 8.62; a full patch is still pending.

Check
Determine whether PeopleSoft PeopleTools 8.61 or 8.62 is in use and whether the Environment Management Hub is reachable externally, then review logs for the published attacker IPs and credential-spray activity.
Affected
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 with the Environment Management Hub exposed to untrusted networks (CVE-2026-35273); PeopleSoft Enterprise Applications customers may also be affected.
Fix
Apply Oracle's emergency mitigations from the June out-of-band alert immediately and restrict access to the Environment Management Hub, then watch for the full patch and assume compromise where exposed.

ShinyHunters extorts Oracle PeopleSoft customers in widening data-theft spree

The extortion group ShinyHunters is running a wave of data-theft attacks against organizations using Oracle PeopleSoft, the enterprise software that large institutions rely on for HR, payroll, finance, and student records. Both cloud and on-premises instances are affected, and the gang claims data from more than 100 organizations. Attackers typically log in with stolen employee credentials, move through the PeopleSoft environment, and exfiltrate large datasets before demanding a Bitcoin ransom. A confirmed victim is the University of Nottingham, where a breach of an Oracle student-records system exposed 454,635 accounts. Researchers have shared attacker IP addresses and noted the use of MeshCentral remote-access agents.

Check
Review PeopleSoft access logs for logins from unfamiliar IPs or locations, check for MeshCentral or other unexpected remote-access agents, and confirm whether your org received a ShinyHunters extortion demand.
Affected
Organizations running cloud or on-premises Oracle PeopleSoft, particularly those with reused or phishable employee credentials and limited monitoring of administrative access to HR, finance, and student-records modules.
Fix
Enforce phishing-resistant MFA on all PeopleSoft accounts, rotate exposed credentials, block the shared attacker IPs, remove unauthorized remote-access tools, and tighten access controls and logging on instances.

Oracle emergency patch for pre-auth RCE in Identity Manager and Web Services Manager (CVE-2026-21992)

Oracle broke its quarterly patch cycle to push an emergency fix for CVE-2026-21992 - a CVSS 9.8 pre-auth RCE in Oracle Identity Manager and Web Services Manager. An unauthenticated attacker with network access over HTTP can take over the entire identity management system. Oracle won't say if it's been exploited, but a nearly identical flaw in the same product (CVE-2025-61757) was added to CISA's KEV catalog just four months ago.

Check
Check if you run Oracle Identity Manager or Oracle Web Services Manager.
Affected
Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0. Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
Fix
Apply the out-of-band Security Alert patch from Oracle immediately. Only available for versions under Premier or Extended Support.