CISA Known Exploited Vulnerability (KEV): Added to the CISA KEV Catalog on June 12, 2026. Action due June 15, 2026. Known ransomware campaign use. BOD 26-04 3-day patch mandate applies.
CVE: CVE-2026-35273 | CVSS 3.1: 9.8 (CRITICAL) | Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-306 | Vendor: Oracle | Product: PeopleSoft Enterprise PeopleTools | Affected versions: 8.61, 8.62
What Is the Vulnerability
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication vulnerability that allows an unauthenticated attacker with HTTP network access to achieve complete takeover of the PeopleSoft system. The vulnerability exists in the Updates Environment Management component. No authentication is required — the attacker simply needs network access to the PeopleSoft HTTP interface. Successful exploitation grants full confidentiality, integrity, and availability impact (CVSS 9.8).
This means an attacker can access, modify, or delete HR records, payroll data, financial information, and any other data managed by PeopleSoft. They can also use the compromised PeopleSoft instance as a pivot point into the wider enterprise network.
Versions Affected
- Oracle PeopleSoft Enterprise PeopleTools 8.61
- Oracle PeopleSoft Enterprise PeopleTools 8.62
Earlier versions may also be affected. Oracle has not specified whether cloud-hosted PeopleSoft instances (OCI) are affected — assume they are until confirmed otherwise.
Exploited?
YES — Actively exploited in the wild. The threat group ShinyHunters has been actively exploiting this zero-day vulnerability in data theft campaigns targeting PeopleSoft environments. The group is known for exfiltrating sensitive data and extorting victims. CISA has confirmed exploitation and added this vulnerability to the KEV catalog with known ransomware campaign use. The accelerated 3-day remediation deadline under BOD 26-04 reflects the urgency.
ShinyHunters typically targets HR, payroll, and financial databases accessible through PeopleSoft. Organisations with internet-facing PeopleSoft instances that were unpatched before June 12 should assume compromise and initiate incident response procedures.
Fix
Oracle has released a security alert with mitigations. Apply the fixes immediately.
- Primary fix: Apply Oracle’s mitigation per the Oracle Security Alert CVE-2026-35273.
- Access Oracle Support: Authenticated Oracle Support access required for detailed patch instructions — Oracle Support Portal.
- Workaround: If immediate patching is not possible, restrict all network access to PeopleSoft until patched. Place PeopleSoft behind a VPN or restrict to specific IP ranges only.
Recommendations
- Patch immediately. The CISA KEV deadline is Sunday, June 15, 2026 — only 2 days away. BOD 26-04 mandates a 3-day patch window for critical exploited vulnerabilities.
- Assume breach if unpatched. Given confirmed ShinyHunters exploitation and known ransomware association, organisations with internet-facing PeopleSoft instances that were unpatched prior to June 12 should launch incident response procedures.
- Audit PeopleSoft access logs. Review logs for unauthorised access, unexpected administrative actions, or bulk data exports during the exploitation window.
- Network segmentation. Ensure PeopleSoft instances are not directly internet-facing. Place them behind VPN, reverse proxy, or restricted IP allowlists.
- Credential rotation. Rotate all PeopleSoft service accounts and privileged credentials after patching.
- Federal agencies: CISA BOD 26-04 mandates patching by June 15. Compliance is required.
References
- Oracle Security Alert CVE-2026-35273 (Vendor Advisory)
- CISA Known Exploited Vulnerabilities Catalog Entry (US Government Resource)
- NVD Entry for CVE-2026-35273
- CISA BOD 26-04: Prioritizing Security Updates Based on Risk
- BleepingComputer: Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
This is a CISA Known Exploited Vulnerability (KEV) advisory. KEV status is indicated in the title, opening callout, and Exploited section per editorial policy. Part of the Vulnerability Intelligence series on threat-modeling.com.
