PeopleSoft Enterprise unauth takeover (CVE-2026-35273) [PoC]

Actively exploited in the wild - CVE-2026-35273 is a critical unauthenticated takeover vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 that allows any remote attacker to fully compromise the server via HTTP requests. Patches are available from Oracle - apply the latest Critical Patch Update immediately.

Overview

CVE-2026-35273 is a pre-authentication remote code execution vulnerability in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. The flaw requires no privileges, no user interaction, and is exploitable over the network via HTTP. Oracle assigned this vulnerability a CVSS 3.1 base score of 9.8 (Critical) due to complete compromise of confidentiality, integrity, and availability.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Despite the CISA KEV status, the EPSS score remains at 0.0%, suggesting current exploitation activity is targeted rather than widespread.

Impact on Affected Systems

An unauthenticated attacker who successfully exploits CVE-2026-35273 gains full control over the targeted PeopleSoft Enterprise PeopleTools environment. This includes the ability to read, modify, or delete all data accessible through the PeopleTools framework, execute arbitrary system commands, and potentially pivot to other connected Oracle systems.

The vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 only. Organizations running these versions should treat this as an emergency patching priority.

Remediation and Mitigation

Immediate action required:

1. Apply Oracle’s Critical Patch Update (CPU) - Oracle has released patches addressing CVE-2026-35273 in the latest quarterly CPU. Download and apply the patch for your affected version.

2. Restrict network access - Until patches can be applied, restrict HTTP access to PeopleTools servers to trusted IP addresses only using firewall rules or network ACLs.

3. Monitor for signs of compromise - Review PeopleTools logs for unusual HTTP requests, especially POST requests to the Updates Environment Management endpoint from unknown sources.

4. Check CISA KEV remediation timelines - Per BOD 22-01, U.S. federal agencies must remediate this vulnerability by the specified due date. Private sector organizations should follow the same urgency.

For related reading on Oracle vulnerabilities under active exploitation, see our coverage of Oracle WebLogic CVE-2024-21182 exploited in the wild.

Security Insight

CVE-2026-35273 continues a troubling pattern of Oracle PeopleSoft products serving as high-value targets for threat actors due to their widespread deployment in HR and financial systems. While the low EPSS score suggests targeted exploitation rather than automated scanning campaigns, the CISA KEV designation means intelligence agencies and government contractors should treat this as an immediate priority. The unauthenticated nature of this vulnerability is particularly concerning because it removes the typical first layer of defense that organizations rely on to buy time for patch deployment.

Further Reading

• Oracle WebLogic CVE-2024-21182 exploited in the wild
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs