PeopleSoft Zero-Day Exploitation Exposes Legacy ERP Weaknesses Across Government and Education

Oracle's out-of-band advisory for CVE-2026-35273 underscores an accelerating pattern of targeted attacks against legacy enterprise systems that mainstream reporting has underplayed. While the initial disclosure notes unauthenticated remote code execution risks in PeopleTools 8.61 and 8.62, it omits the active exploitation timeline confirmed by Mandiant's Charles Carmakal and researchers tracking ShinyHunters. The group chained this zero-day with older flaws to breach over 300 instances across 100 organizations, with education bearing the brunt—University of Nottingham's confirmed data loss being only the visible case. This mirrors ShinyHunters' prior Salesforce campaign, where stolen HR and finance records enabled extortion; here the same playbook targets payroll and supply-chain datasets in environments often running unpatched for years. Governments and universities disproportionately rely on these ERP suites for core operations, creating persistent intelligence and espionage vectors that CISA's recent WebLogic warnings foreshadowed but did not connect to ERP surfaces. Oracle's mitigation-only release, rather than a full patch, leaves thousands of deployments exposed precisely where threat actors have demonstrated dwell time and data exfiltration capability. The coverage gap lies in failing to link these incidents to broader supply-chain risk: compromised HR systems can yield credentials for lateral movement into classified networks, a pattern observed in prior state-linked operations against similar platforms.