Severity
High
Analysis Summary
CISA has added CVE-2026-35273, a critical vulnerability affecting Oracle PeopleSoft Enterprise PeopleTools, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw is categorized as CWE-306 (Missing Authentication for Critical Function) and allows unauthenticated remote attackers to access and execute sensitive functions without valid credentials. As a result, threat actors can potentially gain complete control over vulnerable PeopleSoft environments, making it a severe risk for organizations that rely on the platform for enterprise operations.
The vulnerability is particularly concerning because it impacts Oracle PeopleSoft, a widely deployed Enterprise Resource Planning (ERP) solution used to manage critical business functions such as finance, human resources, payroll, and operations. Successful exploitation can provide attackers with access to highly sensitive corporate data, enable unauthorized administrative actions, and create opportunities for privilege escalation and persistent access. Since the flaw can be exploited remotely without authentication, internet-facing PeopleSoft instances are especially vulnerable to compromise.
According to CISA, CVE-2026-35273 has already been leveraged in ransomware campaigns, highlighting its attractiveness to financially motivated threat actors. Once access is obtained, attackers may deploy ransomware payloads, steal confidential information, move laterally across networks, and establish long-term persistence within enterprise environments. Although technical details of the exploitation process remain limited, the authentication-bypass nature of the flaw suggests that exposed administrative functionality can be abused directly, significantly reducing the complexity of an attack.
To mitigate the threat, CISA has directed organizations to prioritize remediation immediately under Binding Operational Directive (BOD) 26-04, emphasizing the importance of applying Oracle-provided patches and mitigations. Organizations should identify and secure internet-facing PeopleSoft systems, implement strict access controls, monitor logs for unusual administrative activity, and conduct forensic reviews to detect signs of compromise. Given the confirmed ransomware-related exploitation, defenders should also strengthen backup strategies, verify data integrity, enforce network segmentation, and deploy multi-factor authentication where possible. The active exploitation of CVE-2026-35273 underscores the growing trend of attackers targeting critical enterprise software vulnerabilities to gain initial access and compromise high-value organizational assets.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2026-35273
Remediation
- Apply the latest Oracle security patches and updates addressing CVE-2026-35273 immediately.
- Identify and remediate all vulnerable Oracle PeopleSoft Enterprise PeopleTools instances, especially those exposed to the internet.
- Restrict access to PeopleSoft administrative interfaces using firewalls, VPNs, and network access controls.
- Disable or isolate affected systems if patches cannot be applied immediately.
- Review and implement Oracle-recommended mitigations and security best practices.
- Monitor authentication logs, administrative activities, and system events for signs of unauthorized access.
- Conduct forensic investigations to identify potential indicators of compromise (IOCs) or malicious activity.
- Implement network segmentation to limit lateral movement in the event of a breach.
- Enforce the principle of least privilege and regularly review user and administrator permissions.
- Enable Multi-Factor Authentication (MFA) for all administrative and remote access accounts where possible.
- Ensure endpoint detection and response (EDR) and security monitoring solutions are actively monitoring PeopleSoft servers.