Cyber Resilience

CVE-2026-35273

CriticalCISA KEVActive ExploitationRansomware-linked

Published: 11 June 2026

Published
11 June 2026
Modified
17 June 2026
KEV Added
12 June 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9233 99.8th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-35273 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Peoplesoft Enterprise Peopletools. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-35273 is a critical vulnerability in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The flaw, tracked under CWE-306, permits unauthenticated remote attackers to compromise the affected system through HTTP requests, resulting in complete takeover with impacts to confidentiality, integrity, and availability. It carries a CVSS 3.1 base score of 9.8.

An unauthenticated attacker with network access can exploit the issue without credentials or user interaction to gain full control of the PeopleSoft instance. The low attack complexity and network-exposed vector make it straightforward to leverage in internet-facing deployments.

Oracle's security advisory at oracle.com/security-alerts/alert-cve-2026-35273.html addresses remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and the need for prioritized patching.

The EPSS score has reached 0.2221 with no subsequent increase from that level.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful…

more

attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
12 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CWE-306 missing auth on network-exposed HTTP endpoint in PeopleSoft directly enables unauthenticated remote code execution / full compromise of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

oracle
peoplesoft enterprise peopletools
8.61, 8.62

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the HTTP-accessible Updates Environment Management component before any actions are permitted.

prevent

Requires identification and authentication of non-organizational users before granting access to the network-exposed PeopleSoft service.

prevent

Mandates timely application of vendor patches to eliminate the missing-authentication flaw in versions 8.61 and 8.62.

References