The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Oracle PeopleSoft vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in ransomware campaigns.
The flaw, tracked as CVE-2026-35273, affects Oracle PeopleSoft Enterprise PeopleTools and poses a severe risk to thousands of organizations worldwide that depend on the widely deployed enterprise resource planning (ERP) platform.
CVE-2026-35273 is classified as a Missing Authentication for Critical Function vulnerability (CWE-306), one of the most dangerous weakness categories in enterprise software.
The flaw allows an unauthenticated remote attacker to completely bypass authentication controls and achieve full takeover of affected PeopleSoft Enterprise PeopleTools instances.
No credentials, no prior access a simple network path to the target system is sufficient for a threat actor to seize control. The exploitation requires minimal technical sophistication, making it particularly attractive to ransomware operators who favor high-impact, low-effort attack vectors.
Oracle PeopleSoft is deployed across thousands of universities, government agencies, healthcare systems, and large enterprises globally, significantly widening the potential attack surface.
CISA added CVE-2026-35273 to its KEV catalog on June 12, 2026, formally confirming that the vulnerability is being actively weaponized in ransomware campaigns.
Under Binding Operational Directive (BOD) 26-04 Prioritizing Security Updates Based on Risk federal civilian executive branch (FCEB) agencies are required to apply vendor-provided mitigations immediately and adhere to mandatory remediation deadlines.
CISA explicitly noted that stakeholders are responsible for evaluating each asset’s internet exposure and ensuring full adherence to BOD 26-04 patching guidelines. Organizations operating PeopleSoft deployments exposed to the internet face the highest risk and should treat this as an emergency-level remediation event.
Mitigations
Oracle has issued official guidance to address the vulnerability. Security teams should act without delay by taking the following steps:
- Apply Oracle’s official patches immediately in accordance with vendor instructions
- Audit all internet-facing PeopleSoft deployments and restrict external access until patching is complete
- Review CISA’s forensic triage requirements to identify any signs of prior compromise
- Federal agencies must comply with mandatory BOD 26-04 remediation timelines without exception
This disclosure reinforces a troubling trend of ransomware groups increasingly targeting enterprise middleware and ERP platforms. Systems like PeopleSoft are often deprioritized in patch cycles compared to perimeter defenses a blind spot that threat actors are actively exploiting.
A full system takeover via an unauthenticated flaw grants attackers unrestricted access to sensitive HR, financial, and student data before deploying ransomware payloads, amplifying both operational disruption and regulatory exposure.
Security teams should treat CVE-2026-35273 as a critical-priority remediation item. Given CISA’s confirmed ransomware link, delayed patching significantly increases the likelihood of a costly and damaging breach.
Organizations should not wait for observable indicators of compromise before acting by that point, the damage is typically already done.
No Comment! Be the first one.