[KEV] CVE-2026-35273 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-35273 | CVSS 0.0 (Low) | Exploit: Commoditized

What Is It

CVE-2026-35273 is a missing authentication for a critical function vulnerability in Oracle PeopleSoft Enterprise PeopleTools, allowing unauthenticated remote attackers to fully compromise affected installations.

Technical Detail

The flaw exists because a critical function within Oracle PeopleSoft Enterprise PeopleTools does not enforce authentication, meaning an attacker with network access can invoke that function without presenting any credentials. Successful exploitation results in full takeover of the PeopleSoft Enterprise PeopleTools instance, which in practice means an attacker gains unauthorized administrative control over the platform and its data. The attack requires no prior access, no user interaction, and no special privileges, making it a high-severity authentication bypass leading to complete system compromise despite the currently assigned CVSS score of 0.0.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on June 12, 2026. The exploit maturity is rated Commoditized, meaning reliable exploit code is broadly available and in active use across multiple threat actors and toolsets. At this maturity level, exploitation is not limited to sophisticated actors and can be expected from opportunistic attackers as well as targeted campaigns.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability in the available data. Given the commoditized exploit status and confirmed active exploitation, a broad range of actors should be assumed to be leveraging this flaw.

What To Do

Apply Oracle's patch for PeopleSoft Enterprise PeopleTools immediately. Per CISA's Binding Operational Directive 22-01, federal civilian executive branch agencies are required to remediate this vulnerability by the deadline specified in the KEV catalog entry dated June 12, 2026. Organizations should treat this as a critical priority regardless of the assigned CVSS score, as the confirmed active exploitation and commoditized exploit maturity represent a materially higher risk than the score reflects. Until patching is complete, restrict network access to PeopleSoft PeopleTools interfaces at the perimeter and internal network layers, and audit authentication logs for anomalous access to PeopleSoft functions. Monitor for unexpected administrative account creation, configuration changes, or data access patterns within the PeopleSoft environment as indicators of potential compromise.