Critical Zero‑Day in Oracle PeopleSoft (CVE‑2026‑35273) Exploited in University Campaign
What It Is — Oracle disclosed a critical remote‑code‑execution flaw (CVE‑2026‑35273) in PeopleSoft Campus Solutions that allows unauthenticated attackers to execute arbitrary commands on the application server.
Exploitability — The vulnerability is already being weaponised by the ShinyHunters group; proof‑of‑concept exploits have been observed in the wild targeting multiple universities. CVSS v3.1 ≈ 9.8 (Critical).
Affected Products – Oracle PeopleSoft (Campus Solutions, Student Administration, and related modules).
Why It Matters for Compliance & Audit Readiness
- Continuous vulnerability management is a core SOC 2 CC6.1 control; an unpatched zero‑day demonstrates a gap in your risk‑mitigation workflow.
- Demonstrable evidence of timely patching and remediation is required for audit reviewers who now expect real‑time proof of control effectiveness.
- Universities and other regulated entities must show that they protect “confidential” and “restricted” data under HIPAA, FERPA, or GDPR, making this flaw a direct compliance risk.
Recommended Actions
- Apply Oracle’s emergency patch immediately and verify installation via a trusted configuration baseline.
- Update your vulnerability‑management policy to include zero‑day monitoring feeds (e.g., NVD, vendor advisories) and map the remediation to SOC 2 CC6.1.
- Capture patch‑deployment evidence in an immutable log for audit review; integrate with your continuous‑compliance platform.
- Conduct a focused penetration test on PeopleSoft instances to confirm no residual exploitation paths remain.
Source: TechRepublic – Oracle Warns PeopleSoft Customers After Critical Zero‑Day Exploited