CISA has added CVE-2026-35273 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry concerns Oracle PeopleSoft Enterprise PeopleTools and is titled “Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability”. The flaw allows an unauthenticated attacker to gain full control of affected PeopleTools instances.
The vulnerability stems from a missing authentication check on a critical function within PeopleTools, enabling remote code execution without credentials. It carries a CVSS v3.1 base score of 9.8, rated CRITICAL, and can be exploited over the network with low attack complexity. Oracle has released a patch addressing the issue, available through the security alert linked in the notes.
Active exploitation of CVE-2026-35273 has been observed in the wild, and the vulnerability has been linked to known ransomware campaigns. CISA’s KEV listing confirms that the flaw is being used by threat actors. Federal agencies must apply the required mitigations by the remediation due date of 2026‑06‑15.
CISA’s required action is: “Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s ‘Forensics Triage Requirements’ (see URL in Notes). Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines.” While the directive binds Federal Civilian Executive Branch (FCEB) agencies, all organisations should review their exposure to PeopleSoft Enterprise PeopleTools and implement the patch or mitigations promptly.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-35273 and the CISA KEV catalogue.