Critical Oracle PeopleSoft PeopleTools RCE Exposes Enterprise Systems (CVE-2026-35273)

Summary

A critical unauthenticated remote code execution vulnerability, CVE-2026-35273, has been discovered in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Rated CVSS 9.8, this flaw allows attackers with network access to execute arbitrary code without authentication, potentially leading to a full system compromise. The vulnerability is reportedly being exploited in the wild, necessitating immediate mitigation or patching.

Full text

Critical CVSS 3.1 9.8 Oracle Alert Emergency Exploit Status Reported In The Wild Critical Oracle PeopleSoft PeopleTools RCE Exposes Enterprise Systems (CVE-2026-35273) Oracle PeopleSoft Enterprise PeopleTools • Unauthenticated RCE • Published 2026-06-10 Vulnerability Overview CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools. Oracle says the flaw is remotely exploitable without authentication over HTTP and, if successfully exploited, may result in remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with high impact to confidentiality, integrity, and availability. CVE ID CVE-2026-35273 CVSS Score 9.8 - Critical Vendor Oracle Component Updates Environment Management Affected Product PeopleSoft PeopleTools Affected Versions 8.61, 8.62 Attack Vector Network / HTTP Authentication Not Required Bottom Line If you run Oracle PeopleSoft Enterprise PeopleTools 8.61 or 8.62, treat this as an emergency. Oracle recommends immediate action, and administrators should apply the available mitigation or patch guidance from Oracle Support without delay. Why PeopleSoft Is a High-Value Target PeopleSoft deployments often support core enterprise functions such as human resources, finance, payroll, campus systems, and internal business workflows. That makes PeopleTools a high-value target because compromise can expose sensitive identity, employee, student, payroll, and operational data. A remotely exploitable unauthenticated flaw in this layer gives attackers a direct path toward systems that are often deeply integrated into the rest of the enterprise environment. Technical Analysis The vulnerable component identified by Oracle is Updates Environment Management within PeopleSoft Enterprise PeopleTools. Oracle's risk matrix lists the affected protocol as HTTP, and the CVSS vector indicates the issue is network reachable, low complexity, requires no privileges, and requires no user interaction. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In practical terms, that means an attacker with network access to the vulnerable HTTP interface can attempt exploitation without valid credentials. Successful exploitation can result in complete compromise of PeopleSoft Enterprise PeopleTools, with high confidentiality, integrity, and availability impact. Oracle has not disclosed full technical exploit details in the public advisory, which is typical for emergency security alerts involving enterprise software. Defenders should avoid waiting for public exploit code or deeper technical writeups before acting, because the risk profile is already clear: unauthenticated network access, critical severity, and possible remote code execution. Exploitation Status Oracle's public advisory does not include a broad technical breakdown of exploitation activity, but outside reporting has described CVE-2026-35273 as being exploited in the wild, citing warnings from Mandiant leadership. That changes the operational priority from routine patch management to incident-response mode. Exposed or reachable PeopleSoft systems should be reviewed for compromise indicators while mitigation or patching is underway. Am I Affected? You are potentially affected if you operate Oracle PeopleSoft Enterprise PeopleTools 8.61 or 8.62. Oracle also notes that PeopleSoft Enterprise Applications customers may be affected because those applications depend on PeopleTools. Administrators should confirm the PeopleTools version in their environment and review the Oracle Support patch availability document linked from the official alert. Affected Versions & Fixes ProductAffected VersionsResolution PeopleSoft Enterprise PeopleTools8.61, 8.62Apply Oracle's Security Alert mitigation or patch guidance through the PeopleSoft Patch Availability Document PeopleSoft Enterprise ApplicationsDependent on PeopleTools exposureReview the underlying PeopleTools version and follow Oracle Support guidance Oracle states that customers should remain on actively supported versions and apply Critical Patch Updates, Critical Security Patch Updates, and Security Alerts without delay. Older unsupported releases may not be tested, but Oracle warns that earlier affected releases are likely to be affected and recommends upgrading to supported versions. Mitigation & Remediation Priority order, drawn from the Oracle Security Alert Advisory for CVE-2026-35273: Apply Oracle's official mitigation or patch guidance. Review the PeopleSoft Patch Availability Document in Oracle Support and deploy the recommended fixes for PeopleTools 8.61 and 8.62. Reduce HTTP exposure. Restrict PeopleSoft administrative and application interfaces to trusted networks only, and block unnecessary internet-facing access. Prioritize supported versions. Oracle notes that unsupported releases may not be tested for this vulnerability, so upgrade planning should be treated as part of remediation. Hunt for suspicious activity. Review PeopleSoft web logs, authentication logs, update management activity, unexpected process execution, and anomalous outbound connections from PeopleSoft hosts. Monitor for follow-on compromise. Because successful exploitation may lead to remote code execution, check for new files, modified application components, unexpected scheduled jobs, and suspicious administrative account activity. The Bigger Picture CVE-2026-35273 is another reminder that enterprise application platforms are high-impact targets, especially when they sit behind business-critical HR, payroll, finance, and identity workflows. PeopleSoft environments are often long-lived, heavily customized, and difficult to patch quickly, which makes emergency alerts like this especially risky. When a flaw is unauthenticated, reachable over HTTP, and rated 9.8, the safest assumption is that attackers will move fast. Observed IOCs The following IP addresses have been reported in connection with CVE-2026-35273 activity. Treat these as investigation leads, not standalone proof of compromise. TypeIndicatorNotes IPv4142.11.200[.]186Reported infrastructure IPv4142.11.200[.]187Reported infrastructure IPv4142.11.200[.]188Reported infrastructure IPv4142.11.200[.]189Reported infrastructure IPv4142.11.200[.]190Reported infrastructure IPv4108.174.202[.]99Reported infrastructure IPv4176.120.22[.]24Reported infrastructure References Oracle Security Alert Advisory - CVE-2026-35273 Oracle Security Blog - Security Alert CVE-2026-35273 Released CVE Record - CVE-2026-35273 Help Net Security - Oracle PeopleSoft Servers Under Attack The Hacker Wire - Critical PeopleSoft PeopleTools Unauthenticated Takeover

Indicators of Compromise

• cve — CVE-2026-35273

Entities