Oracle critical RCE (CVE-2026-35273)
Key Questions
What is CVE-2026-35273 and its severity?
CVE-2026-35273 is a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft. Oracle issued a Security Alert on June 10, 2026, noting it is remotely exploitable without authentication and no patch is yet available.
Who has exploited the Oracle vulnerability?
Mandiant confirmed that ShinyHunters exploited CVE-2026-35273 as a zero-day to breach over 100 organizations. Exploitation is reported as widespread, prompting immediate patching when available.
What should organizations do about the Oracle RCE vulnerability?
Organizations should apply the patch immediately once released by Oracle and monitor for indicators of compromise. The advisory emphasizes the critical nature and potential for unauthenticated remote exploitation.
Oracle released Security Alert for CVE-2026-35273 – critical unauthenticated remote code execution vulnerability. No patch yet; advisory issued June 10, 2026. Mandiant confirms ShinyHunters exploited this zero-day to breach 100+ organizations; exploitation widespread. Patch immediately if available.