Oracle PeopleSoft Enterprise PeopleTools Missing Authentication Vulnerability (CVE-2026-35273)
Severity Assessment
- Exploitability: 10/10 - Oracle and NVD both describe unauthenticated remote access over HTTP, so no valid user credentials are required.
- Impact: 10/10 - Oracle states successful exploitation may result in remote code execution, and NVD says the issue can result in takeover of PeopleSoft Enterprise PeopleTools.
- Weaponization Risk: 10/10 - CISA added the CVE to the Known Exploited Vulnerabilities catalog and marks it as known to be used in ransomware campaigns.
- Patch Urgency: 10/10 - Oracle released an out-of-band security alert on 2026-06-10, and CISA KEV lists a 2026-06-15 remediation due date.
- Detection Coverage: 4/10 - The primary sources describe the attack surface and impact, but they do not publish stable hashes, domains, or other universal IoCs.
Summary
CVE-2026-35273 is a critical missing authentication for critical function vulnerability in Oracle PeopleSoft Enterprise PeopleTools. Oracle says the flaw affects PeopleTools versions 8.61 and 8.62 and can be exploited remotely without authentication over HTTP. If exploitation succeeds, the attacker may achieve remote code execution inside the PeopleTools environment.
Oracle published an out-of-band Security Alert on 2026-06-10, which makes this a high-priority remediation event for exposed PeopleSoft deployments. NVD published its record on 2026-06-11, and CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-06-12. CISA also flags the vulnerability as known to be used in ransomware campaigns, which raises the urgency for organizations that expose PeopleSoft to the internet or wider enterprise networks.
This entry is treated as a zero-day because the vulnerability was publicly disclosed through Oracle’s alert while exploitation risk was already high enough to warrant KEV listing and immediate patching. The operational takeaway is straightforward: inventory affected PeopleTools versions, patch immediately, and assume exposed instances need review until logs and configuration are checked.
Exploit Chain
Stage 1: Exposed PeopleTools Management Surface
The attacker targets a PeopleSoft Enterprise PeopleTools deployment that exposes the Updates Environment Management component over HTTP. The issue is reachable without authentication, so the attacker does not need to compromise a user account first.
Stage 2: Unauthenticated Access Attempt
The attacker sends a crafted request to the vulnerable HTTP endpoint. Oracle and NVD both describe the flaw as network-accessible and unauthenticated, which means the attack can begin as a direct remote request rather than a multi-step credentialed session.
Stage 3: Application Takeover
If the request succeeds, the attacker can compromise PeopleSoft Enterprise PeopleTools and obtain remote code execution. At that point the attacker can interact with the environment at the application level and prepare for follow-on access or disruption.
Stage 4: Ransomware-Linked Follow-On Activity
CISA’s KEV entry marks the CVE as known to be used in ransomware campaigns. In practice, that means defenders should assume follow-on activity may include data theft, system staging, and extortion preparation if the environment is not isolated and cleaned quickly.
Detection Guidance
Exposure review
- Inventory PeopleSoft Enterprise PeopleTools installations and confirm whether any systems are running versions 8.61 or 8.62.
- Prioritize systems that expose PeopleTools to the internet or to broad internal network access.
Network logging
- Review HTTP access logs for requests against PeopleTools management endpoints from untrusted sources.
- Flag unusual unauthenticated requests, repeated probes, or abnormal request patterns against the Updates Environment Management component.
Host and application monitoring
- Investigate unexpected application restarts, service crashes, or file changes in the PeopleTools environment after suspicious HTTP activity.
- Watch for new child processes, scheduled task changes, or account changes that do not match the normal management workflow.
Containment checks
- If exposure is confirmed, isolate the system until patching and validation are complete.
- Treat any internet-exposed PeopleTools server as needing forensic review until the environment is confirmed clean.
- Apply Oracle’s security update immediately and confirm the affected host is no longer reachable over unmanaged HTTP paths.
- Review CISA’s KEV guidance for the remediation deadline and any triage requirements that apply to federal or regulated environments.
Indicators of Compromise
The primary sources do not publish a universal hash, IP list, or domain list for this CVE. That means defenders should lean on behavioral telemetry instead of static indicators.
Potential investigation leads include:
- Unusual HTTP access to PeopleTools management endpoints from unfamiliar IP addresses
- Repeated unauthenticated requests to the Updates Environment Management component
- Application errors, crashes, or restarts after suspicious web traffic
- Unauthorized configuration or account changes in the PeopleTools environment
- Unexplained outbound activity from a PeopleTools host after a suspicious request
These are leads for triage, not proof on their own. Pair them with version inventory and exposure checks before declaring an incident.
Disclosure Timeline
| Date | Event |
|---|---|
| 2026-06-10 | Oracle publishes Security Alert CVE-2026-35273 and releases the out-of-band fix. |
| 2026-06-11 | NVD publishes the CVE record and describes the unauthenticated HTTP attack surface. |
| 2026-06-12 | CISA adds CVE-2026-35273 to the Known Exploited Vulnerabilities catalog. |
| 2026-06-15 | CISA KEV lists the federal remediation due date. |
Sources & References
- Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-12
- Oracle: Security Alert Advisory - CVE-2026-35273 — Oracle, 2026-06-10
- National Vulnerability Database: CVE-2026-35273 Detail — National Vulnerability Database, 2026-06-11