Missing authentication in Oracle PeopleSoft (PeopleTools) (CVE-2026-35273) — unauthenticated takeover, used in ransomware
Oracle PeopleSoft Enterprise PeopleTools — the platform under the PeopleSoft ERP (HR, finance) — has a missing-authentication-for-critical-function flaw (CWE-306). A remote, unauthenticated attacker can take over PeopleTools. CISA listed it as known-exploited (KEV) and confirmed ransomware use (CVSS 9.8 Critical, per NVD).
Key facts
- CVE IDCVE-2026-35273
- CVSS base score9.8 CRITICAL
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected (vendor / product)Oracle PeopleSoft Enterprise PeopleTools
- CWECWE-306
- ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
- Remediation due2026-06-15 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Missing authentication for a critical function (CWE-306) in PeopleTools, the platform under PeopleSoft
- A remote, unauthenticated attacker can take over PeopleTools
- Listed in CISA KEV = exploitation confirmed; also confirmed used in ransomware
- NVD base score 9.8 Critical (no auth, low complexity, severe C/I/A)
- Response: apply Oracle's fix; federal remediation deadline was June 15, 2026 (top priority)
CVE-2026-35273 is a Missing Authentication for Critical Function vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. PeopleSoft is an enterprise resource planning (ERP) system for HR, payroll, finance, procurement, and campus operations; PeopleTools is the development/runtime platform beneath it.
Per CISA, the flaw lets an unauthenticated attacker achieve takeover of PeopleSoft Enterprise PeopleTools. "Missing authentication" means a critical function that should require authentication can be reached and executed without it. Because core systems concentrate sensitive HR, payroll, and finance data, a takeover has broad impact.
The flaw is network-reachable with low complexity and no authentication, with severe impact to confidentiality, integrity, and availability. CISA has further confirmed that this vulnerability is used in ransomware campaigns.
Key response: check Oracle's official advisory (e.g., Critical Patch Update), identify affected PeopleTools versions, and apply the fix. CISA required U.S. federal civilian agencies to remediate by June 15, 2026 (a practical benchmark for others); given confirmed ransomware use, this warrants top priority. Also review PeopleSoft's external exposure and check logs for suspicious access.
Why it matters
A core system holding sensitive HR and finance data can be taken over without authentication, and ransomware use is confirmed. Enterprises, universities, and agencies running PeopleSoft should inventory external exposure, patch immediately, and review logs. It reflects the reality of attacks on core business systems.
FAQ
What are PeopleSoft and PeopleTools?
What is a "missing authentication" flaw?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).