PeopleSoft CVE-2026-35273 (CVSS 9.8) Actively Exploited

Oracle PeopleSoft Enterprise PeopleTools is affected by CVE-2026-35273, a critical missing authentication vulnerability allowing unauthenticated network takeovers. This flaw carries a CVSSv3.1 score of 9.8 (Critical) and is currently under active exploitation in the wild, having been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. This post provides a technical analysis of the vulnerability, its impact, and recommended mitigation strategies.

The vulnerability stems from a critical function within PeopleSoft Enterprise PeopleTools lacking proper authentication, making it accessible to unauthorized external actors. Exploitation can lead to complete compromise of affected PeopleSoft environments, which shows the severe risk it poses to organizations utilizing this enterprise software. Immediate action is required to prevent potential network compromise.

Our analysis indicates that this vulnerability permits unauthenticated remote attackers to establish control over vulnerable systems. Active exploitation means CVE-2026-35273 is a real threat, demanding immediate attention from security teams and system administrators responsible for Oracle PeopleSoft deployments.

What is CVE-2026-35273 and why is it critical?

CVE-2026-35273 identifies a missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools. This flaw is critical due to its CVSSv3.1 score of 9.8, signifying that it is remotely exploitable without authentication and can lead to a complete compromise of confidentiality, integrity, and availability. The "missing authentication for critical function" aspect means that a specific, vital component or capability within the PeopleSoft framework is exposed to the network without any requirement for credential verification.

Its inclusion in the CISA KEV catalog amplifies its criticality, indicating confirmed active exploitation by threat actors. This designation signals the vulnerability is an ongoing threat that organizations must defend against immediately. Such unauthenticated access to critical functions can serve as a direct gateway for attackers to achieve deep access into an organization's enterprise resource planning (ERP) systems.

The potential for "unauthenticated network takeovers" means that attackers can gain unauthorized control over the PeopleSoft application and potentially the underlying infrastructure. This level of access could enable adversaries to manipulate financial records, exfiltrate sensitive employee or customer data, disrupt business operations, or establish persistence within the network for future attacks. The broad deployment of Oracle PeopleSoft across various industries makes this a high-impact vulnerability.

Impact Assessment

An attacker exploiting CVE-2026-35273 can achieve an unauthenticated network takeover of vulnerable Oracle PeopleSoft environments. This encompasses a broad spectrum of malicious activities, including unauthorized data access, modification, and potential disruption of critical business processes. The vulnerability's CVSSv3.1 score of 9.8 directly correlates with its maximum impact potential across all security domains.

Organizations that rely on Oracle PeopleSoft for human resources, financials, supply chain management, or student administration are at severe risk. Compromise of these systems can lead to the exfiltration of personally identifiable information (PII) for employees and customers, financial data, intellectual property, and other sensitive corporate information. The integrity of business operations can be undermined through unauthorized data alteration, potentially leading to financial fraud or operational paralysis.

The "network takeover" capability implies that the attacker can gain administrative control over the PeopleSoft application and, depending on the architecture and privileges, potentially extend their reach to the host operating system or connected databases. This level of control facilitates lateral movement within the network and enables persistent access for long-term espionage or disruptive campaigns. Downtime for critical ERP systems can result in significant financial losses, reputational damage, and regulatory penalties.

How is CVE-2026-35273 exploited?

CVE-2026-35273 uses a missing authentication vulnerability in a critical function of Oracle PeopleSoft Enterprise PeopleTools. This flaw allows an unauthenticated remote attacker to interact directly with sensitive components that should only be accessible to authenticated and authorized users or processes. The specific critical function that is exposed without authentication enables the attacker to perform actions typically reserved for system administrators.

The exploitation vector is remote and unauthenticated, meaning an attacker does not need prior access to the network or valid credentials to initiate an attack. They can target vulnerable PeopleSoft instances directly over the network. The "missing authentication" implies that the application fails to enforce security checks before executing a critical command or accessing a sensitive resource, thereby granting illicit access.

Real-world exploitation reports confirm that this vulnerability is being actively used by sophisticated threat actors. For instance, our prior analysis in Oracle PeopleSoft CVE-2026-35273: Zero-Day RCE details how this flaw can lead to Remote Code Execution (RCE), allowing attackers to execute arbitrary commands on the underlying server with the privileges of the PeopleSoft application. This changes an unauthenticated network takeover into full system compromise.

Further intelligence, as explored in Oracle PeopleSoft CVE-2026-35273 and ShinyHunters Exploitation, indicates that the threat actor group ShinyHunters has been observed exploiting this identical vulnerability. ShinyHunters is known for high-profile data breaches and has used this zero-day flaw to compromise Oracle PeopleSoft environments, which shows the severity and the caliber of actors interested in exploiting such weaknesses. This active exploitation by a named threat actor group shows the immediate threat posed by CVE-2026-35273.

The attack preconditions are minimal, requiring only network connectivity to a vulnerable Oracle PeopleSoft instance. No complex social engineering or prior reconnaissance beyond identifying a vulnerable target is necessary. This low barrier to entry for attackers, combined with the high potential impact, makes CVE-2026-35273 a dangerous vulnerability. The critical function could involve anything from database configuration interfaces, application server controls, or direct API endpoints that lack proper access controls, allowing an attacker to inject commands or manipulate system settings.

Affected Products and Versions

The vulnerability CVE-2026-35273 affects:

  • Oracle PeopleSoft Enterprise PeopleTools

Specific affected version ranges for Oracle PeopleSoft Enterprise PeopleTools are not explicitly detailed in the provided intelligence source. Organizations are advised to consult official Oracle security advisories or their PeopleSoft support channels for precise version information and patching guidance. Given the critical nature and active exploitation of this vulnerability, all instances of Oracle PeopleSoft Enterprise PeopleTools should be considered potentially vulnerable until confirmed otherwise through vendor-specific patching or assessment.

Detection Strategies

Detecting exploitation attempts or successful compromise related to CVE-2026-35273 requires full logging and monitoring across application, host, and network layers. Indicators of compromise (IOCs) would primarily revolve around anomalous activity consistent with unauthenticated access to critical functions and subsequent network takeovers.

  • Application Logs:
  • Monitor PeopleSoft application server logs for any access attempts to critical or administrative functions that bypass standard authentication mechanisms. Look for successful accesses from IP addresses not associated with legitimate administrative users or known network segments.
  • Review for unexpected modifications to system configurations, user accounts, or security settings within PeopleSoft that occurred without corresponding authenticated administrator actions.
  • Look for abnormal process invocations or API calls originating from the PeopleSoft application server, especially those related to operating system commands or database interactions that deviate from baseline behavior.
  • Host-Based Detection (EDR/HIDS):
  • Monitor the underlying operating system of the PeopleSoft application server for unusual process creation, particularly shell processes (e.g., cmd.exe, powershell.exe, bash, sh) spawned by the PeopleSoft application's user account.
  • Detect unexpected file system changes in critical PeopleSoft directories, web server root directories, or system configuration files.
  • Look for network connections originating from the PeopleSoft server to unusual external IP addresses, especially those associated with known command-and-control infrastructure or cloud hosting providers.
  • Identify any new or modified scheduled tasks, services, or persistence mechanisms created on the server hosting PeopleSoft.
  • Network-Based Detection (IDS/IPS/Firewall Logs):
  • Monitor network traffic for direct unauthenticated access attempts to PeopleSoft application ports and specific URLs or endpoints that might correlate with critical functions.
  • Look for unusual traffic patterns, such as unexpected high volumes of data egress from the PeopleSoft server, which could indicate data exfiltration.
  • Analyze HTTP/S logs for requests to non-standard or administrative URLs within the PeopleSoft application without prior authentication session establishment.
  • Implement IDS/IPS rules to detect known attack signatures associated with exploitation attempts of Oracle PeopleSoft vulnerabilities, if available. Given the active exploitation, regularly update threat intelligence feeds for network signatures related to CVE-2026-35273.

Remediation Measures

Immediate remediation is critical to address CVE-2026-35273 due to its severe impact and active exploitation. Prioritize patching and implement strong mitigation strategies.

  • Apply Vendor Patches:
  • The primary remediation is to apply all available security patches from Oracle for PeopleSoft Enterprise PeopleTools. Consult Oracle's official security advisories and support documentation for the specific patch relevant to your version of PeopleSoft. Oracle typically releases quarterly Critical Patch Updates (CPUs) that bundle fixes for multiple vulnerabilities, including actively exploited zero-days.
  • Workarounds and Mitigations (if patches are not immediately available):
  • Network Segmentation: Isolate PeopleSoft application servers on a dedicated network segment with strict ingress and egress filtering. Restrict network access to PeopleSoft services only from trusted internal networks and specific IP addresses that genuinely require connectivity.
  • Web Application Firewall (WAF): Deploy a WAF in front of your PeopleSoft application to inspect and filter suspicious web traffic. Configure the WAF to block requests that attempt to access critical functions without proper authentication or that contain known exploit patterns.
  • Least Privilege: Ensure the PeopleSoft application and its underlying components run with the minimum necessary operating system privileges. This can limit the extent of compromise if an attacker successfully exploits the vulnerability.
  • Disable Unused Services: Disable any unnecessary PeopleSoft modules, services, or features that could potentially expose additional attack surfaces.
  • Review Access Controls: Conduct a thorough review of existing access controls within PeopleSoft, ensuring that all critical functions are strictly controlled and that any default or guest accounts are secured or disabled.
  • Enhanced Monitoring:
  • Implement enhanced logging and monitoring as detailed in the "Detection" section to quickly identify and respond to any active exploitation attempts or post-exploitation activities. This includes integrating PeopleSoft logs with a Security Information and Event Management (SIEM) system for centralized analysis and alerting.
  • Perform regular vulnerability scanning and penetration testing of your PeopleSoft environments to identify any lingering weaknesses or misconfigurations.

Technical Takeaways

  • CVE-2026-35273 is a critical missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools with a CVSSv3.1 score of 9.8.
  • The vulnerability allows unauthenticated remote attackers to achieve network takeovers, potentially leading to Remote Code Execution and full system compromise.
  • CVE-2026-35273 is actively being exploited in the wild and has been added to the CISA KEV catalog, indicating confirmed real-world attacks.
  • Threat actor groups such as ShinyHunters have been observed using this zero-day flaw to compromise Oracle PeopleSoft environments.
  • Immediate patching through Oracle's official security advisories is the primary remediation; network segmentation and WAF deployment serve as critical interim mitigations.