Zero‑Day Exploit of Oracle PeopleSoft Leads to Data Theft at NAIC
What Happened — ShinyHunters leveraged a zero‑day vulnerability (CVE‑2026‑35273) in Oracle PeopleSoft to gain unauthorized access to the National Association of Insurance Commissioners (NAIC) environment. The group exfiltrated publicly available statutory reports, outdated logs, configuration files and stored credentials before leaking the data when a ransom was refused.
Why It Matters for Compliance & Audit Readiness
- SOC 2 vendor‑management criteria (CC6.1, CC6.2) require continuous monitoring of third‑party software patches; a zero‑day bypass demonstrates the risk of gaps in that process.
- Auditable evidence of vendor‑risk assessments and remediation actions is essential to prove due‑diligence during an audit.
- The incident shows how configuration and credential exposure can trigger service disruptions, reinforcing the need for documented control testing and evidence collection.
Who Is Affected — Insurance regulators, insurers, and any organization running Oracle PeopleSoft or similar ERP platforms.
Recommended Actions — Map PeopleSoft to your vendor‑risk register, verify that the CVE‑2026‑35273 patch is applied, collect remediation evidence for SOC 2 audits, and implement continuous monitoring of vendor security advisories. Source: BleepingComputer
Technical Notes — Attack vector: exploitation of CVE‑2026‑35273 (zero‑day) in Oracle PeopleSoft. Stolen data: public statutory PDFs, legacy logs, AWS configuration files, and stored credentials for SERFF, OPTins, and UCAA production environments. Source: BleepingComputer