A critical vulnerability in Oracle’s PeopleSoft Enterprise PeopleTools, identified as CVE-2026-35273, has been actively exploited in ransomware attacks, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. This flaw allows unauthenticated attackers to gain full control over affected systems, posing a significant risk to organizations utilizing PeopleSoft for enterprise resource planning (ERP) applications.
The vulnerability stems from a failure to enforce authentication mechanisms for sensitive operations, classified under CWE-306 (Missing Authentication for Critical Function). This oversight enables remote attackers to execute critical functions without valid credentials, potentially leading to complete system takeover. Given PeopleSoft’s widespread use in managing financial, human resources, and operational data, successful exploitation could result in unauthorized access to sensitive information, deployment of ransomware, and establishment of persistent access within enterprise networks.
CISA added CVE-2026-35273 to its KEV catalog on June 12, 2026, with a remediation due date of June 15, 2026, under Binding Operational Directive (BOD) 26-04. This directive emphasizes prioritizing security updates for vulnerabilities actively exploited in attacks. Organizations are strongly advised to apply vendor-provided patches and mitigations immediately. If patches are unavailable, CISA recommends discontinuing use of affected systems or implementing compensating controls to reduce exposure.
Security teams should assess internet-facing assets to identify vulnerable PeopleSoft instances and restrict unauthorized access. In addition to patching, CISA urges organizations to follow its “Forensics Triage Requirements” to detect potential compromise. Indicators of exploitation may include unusual administrative activity, unauthorized access attempts, and unexpected system changes. Network monitoring and log analysis are critical to identifying early signs of intrusion.
Given the confirmed use in ransomware campaigns, defenders should also review backup strategies, ensure data integrity, and implement segmentation controls to limit lateral movement. Multi-factor authentication (MFA) and strict access controls can further reduce the attack surface. However, they may not fully mitigate this specific flaw given its authentication-bypass nature.
The rapid exploitation of CVE-2026-35273 highlights the ongoing trend of threat actors targeting enterprise software vulnerabilities to gain initial access. Organizations using Oracle PeopleSoft are urged to treat this issue as a top priority and take immediate action to prevent potential compromise.
This incident underscores the critical importance of timely patch management and proactive security measures. Organizations must remain vigilant, continuously monitor for emerging threats, and ensure that security protocols are robust enough to withstand sophisticated attacks. The exploitation of such vulnerabilities serves as a stark reminder of the evolving tactics employed by cybercriminals and the necessity for a proactive and comprehensive cybersecurity strategy.
