The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Oracle PeopleSoft vulnerability, tracked as CVE-2026-35273, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild — including use in targeted ransomware campaigns. The flaw affects Oracle PeopleSoft Enterprise PeopleTools and enables unauthenticated attackers to gain full control over affected systems.
Understanding CVE-2026-35273
The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating a failure to enforce authentication mechanisms for sensitive operations. In practical terms, this allows remote attackers to execute critical administrative functions without valid credentials — effectively leading to complete system takeover without needing a username or password.
Oracle PeopleSoft Enterprise PeopleTools is widely deployed by large enterprises and public sector organizations for enterprise resource planning (ERP), human resources, and financial management applications. This broad deployment footprint makes it an exceptionally high-value target for ransomware operators seeking to access sensitive financial, HR, and operational data.
Active Exploitation Confirmed in Ransomware Attacks
CISA added CVE-2026-35273 to its KEV catalog on June 12, 2026, with a remediation due date of June 15, 2026 — a remarkably short three-day window — under Binding Operational Directive (BOD) 26-04. The directive emphasizes prioritizing security updates based on risk, particularly for vulnerabilities actively exploited in attacks.
According to CISA, the vulnerability has already been leveraged in confirmed ransomware campaigns. Successful exploitation could allow attackers to:
- Access sensitive financial, HR, and operational data stored in PeopleSoft databases
- Deploy ransomware payloads across the enterprise network
- Establish persistent backdoor access within enterprise environments
- Exfiltrate employee records, payroll data, and strategic business information
Why This Is Especially Dangerous
The authentication-bypass nature of this flaw is particularly concerning because it means traditional access controls are entirely ineffective. An attacker with network access to a vulnerable PeopleSoft instance can immediately take control — no phishing, no credential theft, no social engineering required. Organizations that have inadvertently exposed their PeopleSoft administrative interfaces to the internet are at immediate risk.
The rapid exploitation timeline — between the vulnerability’s discovery and its confirmed use in ransomware campaigns — underscores how quickly threat actors operationalize enterprise software flaws. This aligns with a broader trend of ransomware groups specifically targeting ERP platforms to maximize impact and negotiating leverage.
Immediate Actions Required
Organizations using Oracle PeopleSoft Enterprise are urged to treat this issue as the highest possible priority:
- Apply Oracle’s patches immediately. If patches are unavailable, CISA recommends discontinuing use of affected internet-facing systems or implementing strict compensating controls.
- Audit internet-facing assets to identify vulnerable PeopleSoft instances and immediately restrict unauthorized access at the network perimeter.
- Review administrative access logs for unusual activity, unauthorized access attempts, and unexpected system changes consistent with exploitation.
- Implement network segmentation to limit lateral movement in the event an attacker has already gained initial access.
- Review backup integrity and ensure offline or immutable backups exist before applying patches, as ransomware operators often target backup systems first.
Detection Indicators
Security teams should follow CISA’s “Forensics Triage Requirements” to detect potential compromise. Indicators of exploitation may include unusual administrative activity on PeopleSoft systems, unexpected web application requests targeting administrative endpoints, unauthorized database queries, and anomalous outbound network traffic suggesting data exfiltration or ransomware staging.
While Multi-Factor Authentication and access controls are valuable hardening measures, CISA warns they may not fully mitigate this specific flaw given its authentication-bypass nature — meaning patching is the only definitive remediation.
Source: Cyber Security News — June 17, 2026