a critical oracle peoplesoft vulnerability — cvss score 9.8, allowing unauthenticated remote code execution — was actively exploited in over 100 breaches between may 27 and june 9 before oracle published any warning, a two-week unwarned exploitation window. affected systems include universities, hospitals, and government agencies running peoplesoft for payroll and records. google mandiant confirmed the active exploitation timeline. the two-week gap between known exploitation and vendor disclosure is the structurally anomalous element here.