On June 11, 2026, Oracle published an out-of-band advisory for CVE-2026-35273, a zero-day vulnerability in Oracle PeopleSoft that permits unauthenticated remote code execution. Exploitation of this vulnerability was observed in the wild shortly after disclosure, with the ShinyHunters cybercrime group conducting a campaign targeting multiple organizations, including the National Association of Insurance Commissioners (NAIC). NAIC confirmed unauthorized access to its systems via this vulnerability, resulting in the theft of approximately 3.1 TB of data, primarily insurer regulatory filing documents and some publicly available financial and technical information. NAIC clarified that sensitive personal and payment information was not compromised, and other related regulatory systems were unaffected. The ShinyHunters group later revised some claims about the extent and nature of the stolen data. This incident highlights active exploitation of a critical PeopleSoft vulnerability shortly after its disclosure.

The exploitation of CVE-2026-35273 allowed attackers to gain unauthorized access to NAIC systems, resulting in the theft of a large volume of data (over 3.1 TB), including insurer regulatory filing documents and publicly available financial and technical information. However, no personally identifiable information or payment/financial account information was compromised. State insurance departments and various regulatory reporting systems were not affected. The breach potentially exposes sensitive regulatory data, which could impact the confidentiality of insurer filings and related information.

Oracle published an out-of-band advisory for CVE-2026-35273 on June 11, 2026, indicating that a fix is available. Organizations using Oracle PeopleSoft should apply the official patch promptly to remediate this vulnerability. Since this is not a cloud service, local patching is required. NAIC and other affected organizations should also review access logs and conduct forensic analysis to ensure no further unauthorized access persists. No vendor advisory states that no action is required or that the issue is already mitigated without patching.