CVE-2026-35273: Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Summary
A critical vulnerability, CVE-2026-35273, has been identified in Oracle PeopleSoft Enterprise PeopleTools, allowing unauthenticated attackers to gain full control. CISA mandates immediate mitigation, emphasizing adherence to risk-based security update prioritization and forensics triage requirements.
IFF Assessment
This vulnerability allows unauthenticated attackers to take over a critical system, representing a significant threat to organizations using Oracle PeopleSoft.
Severity
The vulnerability allows for takeover of the system by an unauthenticated attacker, indicating a high impact and exploitability. The critical function being unprotected suggests a severe security flaw.
CISA KEV: Listed as actively exploited. Federal patch due: June 15, 2026. Known ransomware use: Known.
Defender Context
This critical vulnerability in Oracle PeopleSoft requires immediate attention from defenders to prevent unauthorized access and potential takeover. Organizations must prioritize applying available mitigations and adhere to CISA's directives for risk-based patching to secure their systems against known ransomware use.