Oracle PeopleSoft Zero-Day: 100+ Orgs Hit Before the Patch Existed
The news: CVE-2026-35273 is a CVSS 9.8 remote code execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62, exploitable over HTTP without authentication or user interaction. ShinyHunters (UNC6240) ran an active breach campaign from May 27 through June 9 before Oracle issued an emergency out-of-band patch on June 10; CISA added CVE-2026-35273 to KEV on June 12.
Why it matters: More than 100 organizations were compromised during the 14-day zero-day window, with HR, payroll, and financial records now on ShinyHunters' leak site. The University of Nottingham alone confirmed 454,600 current and former student records published. PeopleSoft carries payroll, HR, and financial data at enterprises and universities worldwide; dwell time during the breach window means stolen credentials may fuel follow-on attacks across connected systems.
What to do: Apply Oracle's emergency patch for PeopleTools 8.61/8.62 now; if you cannot patch today, remove PeopleSoft servers from any network path reachable by untrusted systems.
IBM: Two-Thirds of CIOs Are Accountable for AI They Don't Control
IBM's Institute for Business Value surveyed 2,000 technology executives across 33 countries in early 2026 and found that two-thirds of CIOs and CTOs are held accountable for AI systems they cannot fully govern, while 70% say business units are deploying AI faster than IT can track. Eight in ten respondents have a CEO-level AI transformation mandate; only 11% say they are ready for the scale of AI agents expected in the next 12 months. By 2027, respondents project 38% more AI agents in production than exist today. The Monday morning question this benchmark creates: can you inventory every AI model running in your environment right now?
The CIO Mandate Just Shifted: Business-IT Alignment Is Now Priority One
For the first time in this survey's history, business-IT alignment has overtaken cybersecurity as the top concern for technology leaders. The Experis CIO 2026 Outlook, surveying 1,930 IT leaders across 12 countries and published June 11, found 48% rank alignment as their top priority while cybersecurity has dropped to second. The driver is AI ROI pressure: boards want proof that technology investment translates to business results, and 61% of tech leaders say their senior peers still do not understand what the CIO role requires. If your security budget conversation with the CFO does not include an AI productivity lens this year, it may not land.
Watch This
The gap between when a vulnerability is exploited and when an enterprise can close it is widening structurally. Oracle's PeopleSoft zero-day ran 14 days before a patch existed; Verizon's 2026 DBIR, published last month, found the median enterprise time-to-patch has risen to 43 days, up from 32. Attackers are moving faster while patch cycles are slowing: structurally, this gap is not closing on its own.
This week, DoGood network members are cross-referencing Oracle PeopleSoft patch status against active KEV items and mapping which AI deployments fall outside IT governance. If you run IT or security at a $100M+ company, both conversations are already on the table at your peers' organizations.
Know a CIO who needs this? Forward it and they can subscribe here.
Enterprise IT leader at a $100M+ company? Apply to join DoGood.