Critical Oracle PeopleSoft PeopleTools RCE Exposes Enterprise Systems (CVE-2026-35273)
Vulnerability Overview
CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools. Oracle says the flaw is remotely exploitable without authentication over HTTP and, if successfully exploited, may result in remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with high impact to confidentiality, integrity, and availability.
If you run Oracle PeopleSoft Enterprise PeopleTools 8.61 or 8.62, treat this as an emergency. Oracle recommends immediate action, and administrators should apply the available mitigation or patch guidance from Oracle Support without delay.
Why PeopleSoft Is a High-Value Target
PeopleSoft deployments often support core enterprise functions such as human resources, finance, payroll, campus systems, and internal business workflows. That makes PeopleTools a high-value target because compromise can expose sensitive identity, employee, student, payroll, and operational data. A remotely exploitable unauthenticated flaw in this layer gives attackers a direct path toward systems that are often deeply integrated into the rest of the enterprise environment.
Technical Analysis
The vulnerable component identified by Oracle is Updates Environment Management within PeopleSoft Enterprise PeopleTools. Oracle's risk matrix lists the affected protocol as HTTP, and the CVSS vector indicates the issue is network reachable, low complexity, requires no privileges, and requires no user interaction.
The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In practical terms, that means an attacker with network access to the vulnerable HTTP interface can attempt exploitation without valid credentials. Successful exploitation can result in complete compromise of PeopleSoft Enterprise PeopleTools, with high confidentiality, integrity, and availability impact.
Oracle has not disclosed full technical exploit details in the public advisory, which is typical for emergency security alerts involving enterprise software. Defenders should avoid waiting for public exploit code or deeper technical writeups before acting, because the risk profile is already clear: unauthenticated network access, critical severity, and possible remote code execution.
Exploitation Status
Oracle's public advisory does not include a broad technical breakdown of exploitation activity, but outside reporting has described CVE-2026-35273 as being exploited in the wild, citing warnings from Mandiant leadership. That changes the operational priority from routine patch management to incident-response mode. Exposed or reachable PeopleSoft systems should be reviewed for compromise indicators while mitigation or patching is underway.
Am I Affected?
You are potentially affected if you operate Oracle PeopleSoft Enterprise PeopleTools 8.61 or 8.62. Oracle also notes that PeopleSoft Enterprise Applications customers may be affected because those applications depend on PeopleTools. Administrators should confirm the PeopleTools version in their environment and review the Oracle Support patch availability document linked from the official alert.
Affected Versions & Fixes
| Product | Affected Versions | Resolution |
|---|---|---|
| PeopleSoft Enterprise PeopleTools | 8.61, 8.62 | Apply Oracle's Security Alert mitigation or patch guidance through the PeopleSoft Patch Availability Document |
| PeopleSoft Enterprise Applications | Dependent on PeopleTools exposure | Review the underlying PeopleTools version and follow Oracle Support guidance |
Oracle states that customers should remain on actively supported versions and apply Critical Patch Updates, Critical Security Patch Updates, and Security Alerts without delay. Older unsupported releases may not be tested, but Oracle warns that earlier affected releases are likely to be affected and recommends upgrading to supported versions.
Mitigation & Remediation
Priority order, drawn from the Oracle Security Alert Advisory for CVE-2026-35273:
- Apply Oracle's official mitigation or patch guidance. Review the PeopleSoft Patch Availability Document in Oracle Support and deploy the recommended fixes for PeopleTools 8.61 and 8.62.
- Reduce HTTP exposure. Restrict PeopleSoft administrative and application interfaces to trusted networks only, and block unnecessary internet-facing access.
- Prioritize supported versions. Oracle notes that unsupported releases may not be tested for this vulnerability, so upgrade planning should be treated as part of remediation.
- Hunt for suspicious activity. Review PeopleSoft web logs, authentication logs, update management activity, unexpected process execution, and anomalous outbound connections from PeopleSoft hosts.
- Monitor for follow-on compromise. Because successful exploitation may lead to remote code execution, check for new files, modified application components, unexpected scheduled jobs, and suspicious administrative account activity.
The Bigger Picture
CVE-2026-35273 is another reminder that enterprise application platforms are high-impact targets, especially when they sit behind business-critical HR, payroll, finance, and identity workflows. PeopleSoft environments are often long-lived, heavily customized, and difficult to patch quickly, which makes emergency alerts like this especially risky. When a flaw is unauthenticated, reachable over HTTP, and rated 9.8, the safest assumption is that attackers will move fast.
Observed IOCs
The following IP addresses have been reported in connection with CVE-2026-35273 activity. Treat these as investigation leads, not standalone proof of compromise.
| Type | Indicator | Notes |
|---|---|---|
| IPv4 | 142.11.200[.]186 | Reported infrastructure |
| IPv4 | 142.11.200[.]187 | Reported infrastructure |
| IPv4 | 142.11.200[.]188 | Reported infrastructure |
| IPv4 | 142.11.200[.]189 | Reported infrastructure |
| IPv4 | 142.11.200[.]190 | Reported infrastructure |
| IPv4 | 108.174.202[.]99 | Reported infrastructure |
| IPv4 | 176.120.22[.]24 | Reported infrastructure |
){kind=link}