The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-35273, a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools, to its Known Exploited Vulnerabilities (KEV) catalog. The addition, dated June 12, 2026, comes after the agency confirmed that threat actors are actively exploiting the flaw in the wild to take over unpatched systems. This move triggers the mandatory patching deadline for U.S. federal agencies under Binding Operational Directive (BOD) 22-01, requiring them to apply Oracle’s fix within three weeks, by July 3, 2026.

The vulnerability, which Oracle patched in its April 2026 Critical Patch Update (CPU), allows unauthenticated remote attackers to gain full administrative control over PeopleSoft environments. With PeopleSoft widely used across government, higher education, and large enterprises for human resources and financial management, the risk of widespread compromise is significant.

What is CVE-2026-35273?

CVE-2026-35273 is an authentication bypass vulnerability in the PeopleSoft Enterprise PeopleTools component. Specifically, the flaw resides in the way PeopleSoft handles certain HTTP requests to its web server interface. By sending a specially crafted request, an attacker can bypass the login mechanism entirely and gain access with the privileges of the PSADMIN user—the highest level of authority in PeopleSoft.

Oracle’s advisory describes the vulnerability as “easily exploitable,” requiring no authentication and no user interaction. The CVSS v3.1 base score is 9.8 (Critical), reflecting the low attack complexity and high impact on confidentiality, integrity, and availability. In practical terms, a successful exploit grants a remote attacker the ability to execute arbitrary commands, modify database records, exfiltrate sensitive data, and even move laterally to other connected systems.

Security researchers have warned that the combination of PeopleSoft’s complexity and the widespread practice of exposing its web interface to the internet makes this vulnerability especially dangerous. “This is about as bad as it gets for a web application,” said one analyst. “Once inside, an attacker essentially owns the entire ERP system and all the data within it.”

The KEV Addition and Active Exploitation

CISA’s decision to add CVE-2026-35273 to the KEV catalog is based on “evidence of active exploitation.” While the agency did not disclose specific details about the attacks, multiple cybersecurity firms have observed exploitation attempts since at least early May 2026. The attacks appear opportunistic, targeting any internet-facing PeopleSoft login pages that have not yet applied the April 2026 CPU.

According to a report from Rapid7, the exploit is straightforward: attackers send a single HTTP POST request with modified parameters that trick the authentication handler into granting a session token with full privileges. The exploit code has been circulating on underground forums and has been incorporated into automated scanning tools. Some incidents have progressed from initial access to deployment of ransomware, highlighting the urgency.

CISA’s KEV catalog, established under BOD 22-01, mandates that all Federal Civilian Executive Branch (FCEB) agencies remediate each listed vulnerability by the specified due date. For CVE-2026-35273, the clock started ticking on June 12, giving agencies until July 3 to apply the patch or implement approved compensating controls. Failure to comply can result in enforcement actions up to and including system disconnection from federal networks.

Who is Affected?

The vulnerability impacts Oracle PeopleSoft Enterprise PeopleTools versions 8.60 and later. While Oracle typically supports multiple versions simultaneously, the exact scope depends on which releases received the patch. Oracle’s April 2026 CPU provides fixes for:

  • PeopleTools 8.61.15
  • PeopleTools 8.60.25
  • PeopleTools 8.59.35 (if still under extended support)

Organizations running older, unsupported versions are particularly at risk, as they may not have received a patch. Oracle strongly recommends upgrading to a supported baseline. Additionally, any PeopleSoft deployment where the PIA (PeopleSoft Internet Architecture) web server is accessible from the internet—even through a reverse proxy—should be considered exposed.

Federal Patching Timeline and Private Sector Implications

Under BOD 22-01, agencies must “apply the vendor-provided patch or implement mitigations as instructed by CISA” by July 3, 2026. This three-week window is standard for critical, actively exploited vulnerabilities. For private sector organizations, while not legally bound, the KEV listing serves as a strong signal that immediate action is necessary. CISA and the FBI often issue joint advisories urging businesses to prioritize KEV-listed flaws.

In the past, similar PeopleSoft vulnerabilities have led to breaches at universities and corporations. For example, CVE-2020-14750—another authentication bypass in PeopleSoft—was actively exploited by advanced persistent threat groups to steal data and maintain persistence. The current CVE appears to follow the same pattern.

Mitigation and Workarounds

If applying Oracle’s patch immediately is not feasible, organizations should implement the following interim measures:

  • Restrict network access to PeopleSoft PIA web servers using firewall rules, VPNs, or jump servers. Do not expose the login page directly to the internet.
  • Deploy a web application firewall (WAF) with custom rules to filter or block requests that attempt to exploit the authentication bypass. Oracle may provide signature guidance.
  • Monitor PeopleSoft logs for unusual activity, such as unexpected PSADMIN logins from unknown IP addresses or sudden configuration changes.
  • Disable or restrict the use of any unnecessary PeopleSoft services and integration points until patched.

CISA also recommends that organizations scan their internet-facing assets for PeopleSoft instances and verify that all are accounted for and patched. Asset discovery is frequently the first gap that attackers exploit.

Why PeopleSoft Remains a High-Value Target

PeopleSoft’s status as a mission-critical ERP platform for HR, finance, and supply chain makes it a perennial target. A compromise can yield vast amounts of personally identifiable information (PII), financial data, and the ability to alter payroll or vendor payments. Moreover, many organizations treat PeopleSoft as a “black box” that is rarely disrupted, leading to slow patching cycles and inadequate monitoring.

The complexity of PeopleSoft’s architecture—with its Application Designer, Integration Broker, and web services—also creates a large attack surface. Researchers have noted that PeopleSoft often retains legacy code paths that can be leveraged by attackers. In the case of CVE-2026-35273, the vulnerability appears to stem from insufficient validation in a helper servlet designed for backward compatibility with older integration tools.

Historical Context and Recurring Threats

This isn’t the first PeopleSoft vulnerability to earn a KEV listing. CVE-2022-21587, a file upload flaw, was added in 2022 after similar exploitation. The pattern underscores a systemic issue: many organizations struggle to keep their PeopleSoft environments current due to the complexity of customizations and fear of breaking integrations.

Oracle’s quarterly CPU cycle provides a regular patching cadence, but the window between patch release and exploitation is narrowing. In this case, attackers began targeting CVE-2026-35273 within weeks of the April 2026 CPU. Security teams must prioritize PeopleSoft patches as they would for operating system or browser zero-days.

Immediate Steps for Security Teams

  1. Identify all PeopleSoft instances using an asset inventory. Confirm the exact PeopleTools version.
  2. Check your Oracle support portal to verify your entitlement to the April 2026 CPU and download the relevant patch.
  3. If a direct patch is unavailable (e.g., for an unsupported version), engage Oracle for an out-of-support patch or plan an emergency upgrade.
  4. Implement network access controls immediately—do not wait for the patch to be applied if internet exposure exists.
  5. Conduct threat hunting in PeopleSoft environments: search for unusual PSADMIN activity, new user accounts, or modified permissions.
  6. Report any confirmed incidents to CISA and the FBI via their incident reporting portals.

Conclusion

The addition of CVE-2026-35273 to CISA’s KEV catalog transforms a routine patch into an emergency action item. With exploitation ongoing and a tight federal deadline, every organization running PeopleSoft should treat this as a top-priority incident. History shows that delays in patching PeopleSoft vulnerabilities lead to breaches. In this case, an unauthenticated takeover means attackers can completely own the system in minutes. Patch now, or prepare for impact.