BreachHorizon
vulnerabilities

Oracle PeopleSoft Auth Bypass CVE-2026-35273: Patch Now

Breach Horizon EditorialJun 17, 20266 min readReviewed by Laurens Vanhaecke

What's Happening

Oracle PeopleSoft Enterprise PeopleTools has a critical authentication bypass vulnerability — CVE-2026-35273 — that lets an unauthenticated attacker take full control of the platform. No credentials required. No prior access needed. Just network reachability and the flaw does the rest.

CISA added this to the Known Exploited Vulnerabilities catalog on June 12, 2026, with a federal patch deadline of June 15, 2026 — three days. That deadline has passed, which means active exploitation was confirmed before most organizations had time to respond.

Worse: this vulnerability has a known ransomware campaign tie. This isn't theoretical. Threat actors are actively weaponizing it.


The Vulnerability Breakdown

CVE-2026-35273 is classified as CWE-306 — Missing Authentication for Critical Function. That's exactly what it sounds like: a critical function inside PeopleSoft PeopleTools has no authentication gate protecting it.

Here's what that means in practice:

  • An attacker with network access to your PeopleSoft instance doesn't need a username or password
  • They can call the vulnerable function directly and achieve full system takeover
  • "Takeover" means control over the application, its data, and potentially the underlying infrastructure depending on your deployment architecture
  • PeopleSoft environments typically hold HR records, payroll data, financials, student records, and sensitive employee PII — exactly what ransomware groups want to exfiltrate before encrypting

The CVSS-equivalent risk score on this one is a 94 out of 100 internally — that's not a number we assign lightly. This sits in the same category as the worst enterprise application vulnerabilities we've tracked.


Who Is Exposed

PeopleSoft PeopleTools is the underlying framework for all PeopleSoft applications — HCM (Human Capital Management), Financials, Campus Solutions, and others. If you're running any Oracle PeopleSoft product, you're running PeopleTools underneath it.

Your exposure increases significantly if:

  • Your PeopleSoft web server or PIA (PeopleSoft Internet Architecture) tier is internet-facing or reachable from untrusted networks
  • You haven't applied Oracle's out-of-band patch released in response to this CVE
  • You're running PeopleSoft in a cloud or hybrid environment without strict network segmentation
  • Your instance is managed by a third-party service provider who may not have applied the patch on your behalf

MSPs and IT consultants managing PeopleSoft environments for clients: do not assume your vendor or the client's internal team handled this. Verify. The blast radius on a PeopleSoft compromise is enormous given the data these systems typically store.


Immediate Actions — Do These Now

1. Identify all PeopleSoft PeopleTools instances in your environment

Before you can patch, you need to know what you have. Pull your asset inventory and find every instance of PeopleSoft running in your environment — production, staging, dev, and any client-managed instances if you're an MSP.

2. Apply Oracle's patch immediately

Oracle has released a security alert specifically for this vulnerability. Go directly to Oracle's security alert page for CVE-2026-35273. You'll need an Oracle Support account to access the full patch details and download links.

Apply the patch following Oracle's instructions. Do not skip testing, but do not let testing become an excuse for multi-week delays. If your change management process typically takes weeks, escalate this to emergency patch status today.

3. Assess internet exposure immediately

Even before patching is complete, evaluate whether your PeopleSoft PIA tier is accessible from the internet or untrusted networks. Specifically:

  • Review firewall rules for ports 80 and 443 serving the PeopleSoft web tier
  • Check if any load balancers or reverse proxies are forwarding external traffic to PeopleSoft
  • Review any VPN split-tunneling configurations that might expose PeopleSoft to lateral movement from compromised endpoints

If you cannot patch immediately, restricting access to trusted IP ranges is your best available interim control. This is not a substitute for patching, but it reduces your attack surface while you prepare the patch deployment.

4. Check for indicators of compromise

Given that exploitation is confirmed in the wild and ransomware groups are actively using this, you need to assume the possibility of prior compromise — especially if your instance has had any internet exposure.

Review the following:

  • PeopleSoft application server logs for unusual unauthenticated requests or unexpected function calls
  • Web server access logs for anomalous traffic patterns, particularly to servlet paths associated with PeopleTools
  • Database logs for unusual queries, bulk data exports, or new user account creation
  • System-level logs for any new processes, scheduled tasks, or persistence mechanisms

CISA's BOD 26-04 includes Forensics Triage Requirements that outline what a proper triage looks like. Federal agencies are required to follow this. If you're in the private sector, use it as a practical checklist anyway — it's solid guidance.

5. Review privileged accounts and access

If an attacker achieved full takeover, account manipulation is a standard next step before deploying ransomware. Audit:

  • PeopleSoft operator accounts for any additions or modifications since June 12
  • OS-level accounts on PeopleSoft application and database servers
  • Any service accounts used by PeopleSoft with elevated privileges on connected systems

Compliance and Regulatory Context

For federal agencies and contractors, CISA's Binding Operational Directive 26-04 governs the response here. The June 15 deadline has passed. If you haven't patched, you're out of compliance with BOD 26-04 and need to escalate this to your CISO and AO immediately.

For private sector organizations: BOD 26-04 doesn't technically bind you, but CISA doesn't add things to the KEV catalog because they're bored. A ransomware-linked, unauthenticated full-takeover vulnerability in an enterprise ERP platform is exactly the kind of thing that ends up in post-incident regulatory scrutiny. HIPAA, FERPA (for higher education PeopleSoft users), and state privacy laws all create liability exposure if patient, student, or employee data is compromised through a known, patchable vulnerability.

Document your patch deployment timeline. If you're delayed due to vendor dependencies or testing cycles, document the compensating controls you've put in place. That documentation matters if you're ever explaining this to a regulator or insurer post-incident.


For MSPs Managing PeopleSoft Clients

If you have clients running PeopleSoft, your responsibilities here are clear:

  • Notify clients immediately — do not wait for them to find this themselves
  • Verify patch status — do not assume Oracle's automatic update mechanisms handled this; PeopleSoft patching is largely manual
  • Check your own tooling — if you use any RMM or monitoring agents deployed on PeopleSoft infrastructure, confirm those agents haven't introduced additional network exposure
  • Review your incident response agreements — if a client gets hit with ransomware through this vector and you were managing their PeopleSoft environment, understand your contractual obligations now, not after the incident

If a client refuses to patch or insists on delays beyond a reasonable testing window, get that decision documented in writing. A ransomware attack through a known KEV vulnerability where patching was declined is a conversation you want a paper trail for.


If You Can't Patch Right Now

Patching is the only real fix. That said, if you're in a situation where patching requires extended downtime, vendor coordination, or change freeze exceptions, here's how to reduce risk in the interim:

  • Restrict network access to PeopleSoft to only authorized IP ranges — internal networks, VPN endpoints, and any known integration partners
  • Enable enhanced logging on the web tier and application server to increase visibility into exploitation attempts
  • Take a backup of the system before any additional exposure window — if you do get hit, having a clean recovery point is the difference between a bad week and a catastrophic one
  • Brief your IR team or retainer — if you have a cyber insurance policy with an IR retainer, make sure they're on standby and that you have contact information readily accessible

Do not treat interim controls as a reason to delay patching. The threat actors using this vulnerability are not waiting for your change management approval cycle.


Bottom Line

An unauthenticated, full-takeover vulnerability in Oracle PeopleSoft is being actively used in ransomware attacks. CISA flagged it, assigned a three-day patch deadline, and the deadline is gone. If you're running PeopleSoft and haven't patched, you're in the highest-risk category right now.

Patch first. Audit for compromise second. Restrict access if patching is delayed. Document everything.

Oracle's official security alert: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

CISA KEV entry and BOD 26-04 guidance: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-35273

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.