Introduction
On June 12, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35273 to the Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects Oracle PeopleSoft Enterprise PeopleTools and involves a Missing Authentication for Critical Function.
The inclusion in the KEV Catalog is based on concrete evidence of active exploitation in the wild. For Federal Civilian Executive Branch (FCEB) agencies, this triggers mandatory remediation deadlines under Binding Operational Directive (BOD) 26-04. However, the risk extends far beyond the federal government. Oracle PeopleSoft is a backbone for HR, finance, and supply chain operations across critical infrastructure, healthcare, and higher education. A missing authentication flaw on a critical function effectively leaves the front door of your ERP unlocked, allowing attackers to manipulate data or escalate privileges without credentials.
Defenders need to treat this as an immediate incident response priority. Patching is not optional; it is a requirement for survival in the current threat landscape.
Technical Analysis
- CVE Identifier: CVE-2026-35273
- Affected Product: Oracle PeopleSoft Enterprise PeopleTools
- Vulnerability Type: CWE-306: Missing Authentication for Critical Function
- Status: Known Exploited Vulnerability (KEV)
How the Vulnerability Works
This vulnerability exists within specific components of the PeopleTools stack. Authentication mechanisms are designed to verify the identity of a user before granting access to sensitive operations or data. In CVE-2026-35273, a critical function—likely related to integration gateways, administrative servlets, or service APIs—fails to enforce this check.
From an attacker's perspective, this eliminates the need for phishing, credential stuffing, or brute-forcing. By sending a specifically crafted HTTP request to the vulnerable endpoint, an unauthenticated actor can invoke privileged functionality. Depending on the specific component involved, this could lead to:
- Data Exfiltration: Direct dumping of PII, financial records, or intellectual property.
- Remote Code Execution (RCE): If the critical function involves system interaction or file handling, attackers may chain this bug to gain OS-level access.
- Service Disruption: Manipulation of workflows or background processes.
Exploitation Status
CISA has confirmed active exploitation. This indicates that threat actors, potentially including sophisticated groups targeting supply chains, have already weaponized this bug. When a vulnerability of this class (Missing Auth) is added to KEV, it is often because it is being used in automated botnets or targeted ransomware campaigns to gain initial access into large networks.
Detection & Response
Detecting the exploitation of CVE-2026-35273 requires a two-pronged approach: identifying the network activity associated with the attempted bypass and monitoring for post-exploitation processes if the web server is compromised.
SIGMA Rules
The following rules monitor web access logs for anomalies in PeopleTools paths and detect potential post-exploitation command execution on Windows hosts hosting the application.
---
title: Potential Exploitation of PeopleTools Missing Auth Vulnerability
id: 9a8f5b12-3d4e-4f8a-9c1d-2e3f4a5b6c7d
status: experimental
description: Detects potential exploitation attempts against Oracle PeopleSoft Enterprise PeopleTools CVE-2026-35273 by identifying unauthenticated access attempts to critical servlet paths or Integration Gateway endpoints.
references:
- https://www.cisa.gov/news-events/alerts/2026/06/12/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/06/12
tags:
- attack.initial_access
- attack.t1190
- cve.2026.35273
logsource:
category: webserver
product: apache
# Note: Adjust product based on environment (iis, nginx)
detection:
selection_uri:
c-uri|contains:
- '/PSIGW/'
- '/PSAPPSRV/'
- '/servlets/'
selection_method:
c-method: POST
filter_auth:
cs-cookie|contains: 'EXP_JSESSIONID' # PeopleSoft session cookie
condition: selection_uri and selection_method and not filter_auth
falsepositives:
- Misconfigured monitoring tools
- Legacy API integrations using token-based auth in headers (not cookies)
level: high
---
title: Web Server Spawning Shell - Potential RCE Chain
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects potential web server process exploitation leading to command execution (cmd.exe or powershell.exe) often seen after successful web exploitation.
references:
- https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/06/12
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\\java.exe'
- '\\httpd.exe'
- '\\w3wp.exe'
selection_child:
Image|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
selection_cli:
CommandLine|contains:
- 'whoami'
- 'net user'
- 'curl'
- 'wget'
condition: all of selection_*
falsepositives:
- Legitimate administrative debugging by developers
level: critical
KQL (Microsoft Sentinel / Defender)
This KQL query hunts for access to PeopleSoft Integration Gateway endpoints from external IPs that lack a session cookie, indicative of an authentication bypass attempt.
// Hunt for unauthenticated access to PeopleTools critical endpoints
CommonSecurityLog
| where DeviceVendor in ("Cisco", "Fortinet", "Palo Alto Networks", "Check Point")
| where RequestURL contains "/PSIGW/" or RequestURL contains "/psp/"
| where RequestMethod == "POST"
// Check if the session cookie is missing
| where isnotempty(ReceivedBytes) and isnull(Cookie) or not(Cookie contains "EXP_JSESSIONID")
| project TimeGenerated, SourceIP, DestinationIP, DeviceAction, RequestURL, RequestMethod, UserAgent
| summarize count() by SourceIP, RequestURL, bin(TimeGenerated, 5m)
| where count_ > 5
Velociraptor VQL
This VQL artifact hunts for suspicious web server access logs or process executions on the endpoint to detect successful compromise.
-- Hunt for PeopleTools access logs or suspicious process spawns
SELECT * FROM chain(
-- Check for recent POST requests to PSIGW in IIS/HTTP logs
{
SELECT FullPath, Mtime, Size
FROM glob(globs='C:\\inetpub\\logs\\LogFiles\\**\\*.log')
WHERE Mtime > now() - 7d
},
-- Check for java.exe spawning shells (common in Java app exploitation)
{
SELECT Pid, Name, Parent.Name as ParentName, CommandLine, StartTime
FROM pslist()
WHERE Name =~ 'cmd.exe' OR Name =~ 'powershell.exe'
AND Parent.Name =~ 'java.exe'
}
)
Remediation Script (PowerShell)
This script assists in identifying Windows servers where PeopleSoft components may be installed, allowing administrators to verify patching status immediately.
# Oracle PeopleSoft CVE-2026-35273 Detection Helper
# Run as Administrator on Windows Servers
Write-Host "[*] Scanning for Oracle PeopleSoft PeopleTools installations..." -ForegroundColor Cyan
# Common PeopleSoft installation paths
$paths = @(
"C:\PSFT\",
"D:\PSFT\",
"C:\pt8*",
"D:\pt8*",
"C:\Oracle\Middleware\*"
)
$found = $false
foreach ($path in $paths) {
if (Test-Path $path) {
$found = $true
Write-Host "[+] Found PeopleSoft installation directory: $path" -ForegroundColor Yellow
# Attempt to find psappsrv.cfg or application server properties to identify version
$configFiles = Get-ChildItem -Path $path -Filter "psappsrv.cfg" -Recurse -ErrorAction SilentlyContinue
if ($configFiles) {
foreach ($file in $configFiles) {
Write-Host " - Configuration File: $($file.FullName)" -ForegroundColor Green
# In a real scenario, parse the file for 'ToolsRelease' version string
}
}
}
}
if (-not $found) {
Write-Host "[-] No standard PeopleSoft installation paths detected on this host." -ForegroundColor Red
} else {
Write-Host "[!] ACTION REQUIRED: Verify patch for CVE-2026-35273 has been applied to identified hosts." -ForegroundColor Red
Write-Host "[*] Refer to Oracle Advisory for CVE-2026-35273 for the specific PeopleTools patch version." -ForegroundColor White
}
Remediation
-
Patch Immediately: Review the Oracle Security Alert for CVE-2026-35273 and apply the required PeopleTools patch bundle. Oracle typically releases patches for PeopleTools that address specific CVEs.
- Action: Upgrade PeopleTools to the latest version where this vulnerability is resolved.
- Vendor Advisory: Oracle Security Alerts
-
Enforce BOD 26-04 Compliance: Federal agencies must remediate this vulnerability by the deadline set by CISA (typically within three weeks of KEV addition, barring extensions).
-
Network Segmentation & WAF Rules: If immediate patching is not possible due to change management windows:
- Restrict Access: Ensure PeopleSoft environments (PIA, Integration Gateway) are not accessible from the public internet unless absolutely necessary. Enforce IP whitelisting.
- WAF Configuration: Update Web Application Firewalls to block known exploitation patterns targeting
/PSIGW/or related servlets, specifically checking for malformed requests lacking session headers.
-
Log Audit: Review web server logs (access.log, IIS logs) for the last 30 days for any POST requests to the affected endpoints that do not contain a valid session cookie. Assume any successful 200 OK response from these endpoints without authentication indicates a breach.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.