A critical vulnerability in Oracle's PeopleSoft software sat exposed for over two weeks while one of the world's most aggressive ransomware groups quietly stole gigabytes of data from roughly 100 organizations. The attackers didn't just grab files and disappear — they're now demanding ransom payments in exchange for keeping the stolen information secret. And here's what makes this particularly alarming: Oracle still hasn't fully patched the flaw.

The vulnerability, tracked as CVE-2026-35273, scores a brutal 9.8 out of 10 on the severity scale — making it one of the most dangerous security flaws discovered all year. ShinyHunters, the group behind the attacks, started exploiting it on May 27 and went undetected until researchers at Google's Mandiant team uncovered what was happening. By then, the damage was already done. The attackers had compromised roughly 300 endpoints across those 100 victim organizations, with about two-thirds of them being universities and colleges. The University of Nottingham became the first victim to publicly confirm they were hit, revealing that a "significant" amount of student data had been stolen.

What makes this attack vector so dangerous is the type of vulnerability itself. It's called an SSRF (server-side request forgery), which essentially tricks a vulnerable server into making requests on behalf of the attacker. Think of it like handing someone your house keys and them using them to access your entire neighborhood. The attackers can use the compromised server to reach internal systems that should be completely isolated from the outside world. Oracle has released a stopgap measure to slow things down, but a permanent fix remains pending. In the meantime, thousands of organizations running PeopleSoft are sitting in a precarious position.

If you work at a university, hospital, or large enterprise that uses PeopleSoft for human resources or financial systems, this matters directly to you. Your personal data — social security numbers, addresses, employment history, financial information — could be in the hands of criminals right now. The fact that ShinyHunters is actively demanding ransom payments suggests they're serious about monetizing what they've stolen. Some organizations will likely pay, which only encourages more attacks. And if they don't pay, your data gets dumped on the dark web where identity thieves can buy it for pennies.

The broader lesson here is unsettling: even when companies like Oracle are working on security, the gap between when a vulnerability is discovered and when it's fixed can be deadly. For two weeks, ShinyHunters operated with near-total impunity. As more organizations patch the vulnerability in the coming days, expect to see the full scope of this breach become clearer. Watch for announcements from hospitals, government agencies, and educational institutions confirming they were targeted. This isn't the last we'll hear about CVE-2026-35273.