HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Zero‑Day in Oracle PeopleSoft (CVE‑2026‑35273) Exploited in University Campaign

Oracle disclosed CVE‑2026‑35273, a critical remote‑code‑execution flaw in PeopleSoft that is already being used by the ShinyHunters group against universities. The exploit highlights the need for continuous vulnerability management and SOC 2 evidence of timely remediation.

LiveThreat™ Intelligence · 📅 June 15, 2026· 📰 techrepublic.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
techrepublic.com

Critical Zero‑Day in Oracle PeopleSoft (CVE‑2026‑35273) Exploited in University Campaign

What It Is — Oracle disclosed a critical remote‑code‑execution flaw (CVE‑2026‑35273) in PeopleSoft Campus Solutions that allows unauthenticated attackers to execute arbitrary commands on the application server.

Exploitability — The vulnerability is already being weaponised by the ShinyHunters group; proof‑of‑concept exploits have been observed in the wild targeting multiple universities. CVSS v3.1 ≈ 9.8 (Critical).

Affected Products – Oracle PeopleSoft (Campus Solutions, Student Administration, and related modules).

Why It Matters for Compliance & Audit Readiness

  • Continuous vulnerability management is a core SOC 2 CC6.1 control; an unpatched zero‑day demonstrates a gap in your risk‑mitigation workflow.
  • Demonstrable evidence of timely patching and remediation is required for audit reviewers who now expect real‑time proof of control effectiveness.
  • Universities and other regulated entities must show that they protect “confidential” and “restricted” data under HIPAA, FERPA, or GDPR, making this flaw a direct compliance risk.

Recommended Actions

  • Apply Oracle’s emergency patch immediately and verify installation via a trusted configuration baseline.
  • Update your vulnerability‑management policy to include zero‑day monitoring feeds (e.g., NVD, vendor advisories) and map the remediation to SOC 2 CC6.1.
  • Capture patch‑deployment evidence in an immutable log for audit review; integrate with your continuous‑compliance platform.
  • Conduct a focused penetration test on PeopleSoft instances to confirm no residual exploitation paths remain.

Source: TechRepublic – Oracle Warns PeopleSoft Customers After Critical Zero‑Day Exploited

📰 Original Source
https://www.techrepublic.com/article/news-oracle-peoplesoft-zero-day-shinyhunters/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →