CISA has added a critical Oracle PeopleSoft vulnerability, tracked as CVE-2026-35273, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
The flaw affects Oracle PeopleSoft Enterprise PeopleTools and enables unauthenticated attackers to gain full control over affected systems.
The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating a failure to enforce authentication mechanisms for sensitive operations.
This flaw allows remote attackers to execute critical functions without valid credentials, effectively leading to complete system takeover.
Oracle PeopleSoft 0-Day Vulnerability Exploit
According to CISA, the vulnerability has already been exploited in ransomware campaigns, raising significant concerns for organizations that rely on PeopleSoft environments.
While detailed technical exploitation methods remain limited, the nature of the flaw suggests attackers can remotely access administrative functionalities exposed over the internet.
Oracle PeopleSoft Enterprise PeopleTools is widely used for enterprise resource planning (ERP) applications, making it a high-value target for threat actors.
Successful exploitation could allow attackers to access sensitive financial, HR, and operational data, deploy ransomware payloads, and establish persistent access within enterprise networks.
CISA added CVE-2026-35273 to its KEV catalog on June 12, 2026, with a remediation due date of June 15, 2026, under Binding Operational Directive (BOD) 26-04.
The directive emphasizes prioritizing security updates based on risk, particularly for vulnerabilities actively exploited in attacks.
Organizations are strongly advised to apply vendor-provided patches and mitigations immediately. If patches are unavailable, CISA recommends discontinuing use of affected systems or implementing compensating controls to reduce exposure.
Security teams should also assess internet-facing assets to identify vulnerable PeopleSoft instances and restrict unauthorized access.
In addition to patching, CISA urges organizations to follow its “Forensics Triage Requirements” to detect potential compromise.
Indicators of exploitation may include unusual administrative activity, unauthorized access attempts, and unexpected system changes. Network monitoring and log analysis are critical to identifying early signs of intrusion.
Given the confirmed use in ransomware campaigns, defenders should also review backup strategies, ensure data integrity, and implement segmentation controls to limit lateral movement.
Multi-factor authentication (MFA) and strict access controls can further reduce the attack surface. However, they may not fully mitigate this specific flaw given its authentication-bypass nature.
The rapid exploitation of CVE-2026-35273 highlights the ongoing trend of threat actors targeting enterprise software vulnerabilities to gain initial access.
Organizations using Oracle PeopleSoft are urged to treat this issue as a top priority and take immediate action to prevent potential compromise.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here
