Analyst readout for executives and security teams
Plain-English summary
CVE-2026-35273 is a critical Oracle PeopleSoft PeopleTools flaw that can let an unauthenticated attacker take over affected systems over HTTP. It affects supported PeopleTools versions 8.61 and 8.62. CISA lists it in the Known Exploited Vulnerabilities catalog, so organizations should treat internet-accessible PeopleSoft environments as urgent priorities.
Executive priority
Treat this as an emergency remediation item for affected PeopleSoft environments. The issue enables unauthenticated takeover, affects core enterprise systems, and is listed by CISA as known exploited. Ask teams for same-day exposure confirmation and a remediation plan based on Oracle guidance.
Technical view
Oracle describes this as an easily exploitable vulnerability in PeopleSoft Enterprise PeopleTools, Updates Environment Management. The weakness is CWE-306, missing authentication for a critical function. The CVSS 3.1 score is 9.8 with network access, low complexity, no privileges, no user interaction, and high confidentiality, integrity, and availability impact.
Likely exposure
Exposure is highest where PeopleSoft PeopleTools 8.61 or 8.62 is reachable over HTTP, especially from the internet or untrusted networks. Internal-only deployments still matter because no authentication is required once network access is available.
Exploitation context
Active exploitation is supported by CISA KEV listing. The provided sources do not include exploit details, observed campaign information, or indicators of compromise. The combination of unauthenticated HTTP access and full takeover impact makes rapid validation and remediation important.
Researcher notes
The source bundle names the affected component and versions but does not provide patch identifiers, exploit mechanics, or detection logic. Avoid assumptions beyond Oracle and CISA data. Key research tasks are version confirmation, exposure mapping, advisory tracking, and telemetry review for suspicious unauthenticated HTTP activity.
Mitigation direction
- Review Oracle’s advisory for the official fix or required update path.
- Prioritize remediation for PeopleTools 8.61 and 8.62 environments reachable over HTTP.
- Restrict HTTP access to PeopleSoft management interfaces to trusted networks only.
- Monitor PeopleSoft and web access logs for unusual unauthenticated activity.
- Confirm whether CISA KEV deadlines apply to your organization.
Validation and detection
- Inventory all PeopleSoft Enterprise PeopleTools deployments and versions.
- Identify systems running PeopleTools 8.61 or 8.62.
- Determine whether affected services are reachable over HTTP from untrusted networks.
- Verify whether Oracle-recommended updates or mitigations are applied.
- Check CISA KEV and Oracle advisory pages for updated guidance.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-35273 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.8 (3.1)
- Known Exploited
- Yes
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CISA KEV status
SSVC decision data
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9 oracle Vulnerability scoring details
Base CVSS 3.1 score
9.8 CriticalVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- CVE published CVE Program
The CVE record was published.
- Added to KEV CISA-ADP
CISA Known Exploited Vulnerabilities metadata lists this CVE as known exploited.
- ADP timeline CISA-ADP
CVE-2026-35273 added to CISA KEV
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
- 2026-06-12T00:00:00.000Z: CVE-2026-35273 added to CISA KEV
Source materials
- CVE List V5 source CVE List V5
- Oracle Advisory CVE reference, oracle · vendor-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273 CVE reference, CISA-ADP · government-resource
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.