答案已发布15小时前Last edited 15小时前14 来源

ShinyHunters利用Oracle PeopleSoft零日漏洞发动大规模入侵逾百组织遭殃

ShinyHunters组织利用CVE 2026 35273漏洞（CVSS 9.8分高危未授权远程代码执行漏洞）攻击Oracle PeopleSoft PeopleTools 8.61和8.62版本，在全球攻陷超过100家机构的300余个实例。攻击者窃取了个人信息、学术档案、HR数据和登录凭证，教育行业受害最深。得手后，犯罪团伙以公开数据为要挟勒索赎金。

使用 Studio Global AI 搜索并核查事实浏览更多热门页面

1020

Digital illustration representing the ShinyHunters cyberattack on Oracle PeopleSoft systems, with a shattered database icon, glowing code, and a dark, urgent cybersecurity backdrop — What was the ShinyHunters zero-day campaign against Oracle PeopleSoft that breached over 100 organizations, what was the vulnerability (CVE-The ShinyHunters zero-day campaign exploited CVE-2026-35273 to breach over 300 Oracle PeopleSoft instances worldwide.
AI 提示
Create a landscape editorial hero image for this Studio Global article: What was the ShinyHunters zero-day campaign against Oracle PeopleSoft that breached over 100 organizations, what was the vulnerability (CVE-. Article summary: Here is a comprehensive breakdown of the ShinyHunters campaign against Oracle PeopleSoft, based on current reporting.. Topic tags: general, general web, user generated. Reference image context from search candidates: Reference image 1: visual subject "Android Headlines / Tech News / Hackers Exploited a Critical Oracle Zero-Day to Breach Over 100 Companies. # Hackers Exploited a Critical Oracle Zero-Day to Breach Over 100 Compani" source context "Oracle Zero-Day Exploited to Breach 100+ Companies" Reference image 2: visual subject "# Oracle PeopleSoft Zero Day Exploited by ShinyHunters. Oracle shipped emergency mitigations on June 11 for CVE-2026-35273 after Shi
openai.com

2026年6月初，网络犯罪组织ShinyHunters发起了本年度影响最恶劣的零日漏洞攻击之一，利用Oracle PeopleSoft中的一个关键漏洞，入侵全球超过100家机构。攻击波及众多高校和企业，且正值官方补丁尚未发布之时，凸显了大型ERP系统面临持续风险，以及勒索导向的攻击者能将未公开漏洞迅速武器化的惊人速度。

此次攻击所涉漏洞CVE-2026-35273，CVSS v3.1评分高达9.8，可允许攻击者无需任何身份验证即实现远程代码执行。本文将深入解析该漏洞的技术细节、攻击时间线、被盗数据、甲骨文与CISA的响应，以及防御者此刻应采取的行动。

漏洞解析：CVE-2026-35273究竟何方神圣？

CVE-2026-35273存在于Oracle PeopleSoft Enterprise PeopleTools的更新环境管理组件中，影响8.61和8.62两个版本。该漏洞属于服务端请求伪造，可通过HTTP协议在无需验证的情况下触发。成功利用可导致PeopleSoft服务器被完全接管，攻击者将全面控制系统的机密性、完整性和可用性。

Oracle感谢了趋势AI零日计划及其研究部门的研究人员报告此漏洞。这一漏洞集网络攻击面、低复杂度、无需认证和无需用户交互等危险特性于一身，使其一经攻击者知晓便成为大规模利用的理想目标。

Studio Global AI

Search, cite, and publish your own answer

Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.

使用 Studio Global AI 搜索并核查事实

人们还问