Back to Intelligence

Oracle PeopleTools CVE-2026-35273 Exploitation — Critical Detection and Remediation Guide

SA
Security Arsenal Team
June 14, 2026
9 min read

Introduction

On April 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35273, a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools, to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion confirms active exploitation in the wild, requiring immediate action from all organizations utilizing PeopleSoft platforms. With a CVSS score of 9.8, this vulnerability represents one of the most severe security risks facing enterprise resource planning (ERP) systems in 2026.

PeopleSoft Enterprise PeopleTools serves as the foundational technology layer for all PeopleSoft applications, meaning this vulnerability potentially affects core business functions including HR, finance, supply chain, and student administration across thousands of organizations worldwide. The CISA KEV designation carries binding requirements for federal civilian agencies, but all organizations—especially those in critical infrastructure sectors—should treat this with equivalent urgency.

Technical Analysis

Affected Products and Versions

  • Product: Oracle PeopleSoft Enterprise PeopleTools
  • CVE: CVE-2026-35273
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Impact: Confidentiality, Integrity, Availability

Vulnerability Overview

CVE-2026-35273 is a critical vulnerability affecting the Oracle PeopleSoft Enterprise PeopleTools platform—the underlying technology infrastructure for all PeopleSoft applications. The vulnerability allows unauthenticated remote attackers to compromise affected systems through network exposure, potentially leading to complete system takeover.

The specific technical details (while limited in public disclosure at this time) indicate that the vulnerability exists within the core PeopleTools framework, which means all applications running on the PeopleSoft platform—including HCM, Financials, Campus Solutions, and others—are potentially vulnerable through the same attack vector.

Exploitation Status

CISA's addition to the KEV catalog confirms:

  • Active exploitation in the wild
  • Proof-of-concept (PoC) exploitation likely available to threat actors
  • Ransomware groups and nation-state actors may be leveraging this vulnerability
  • Supply-chain organizations running PeopleSoft are particularly high-value targets

Attack Chain

  1. Initial Access: Unauthenticated remote attacker identifies exposed PeopleTools interfaces
  2. Exploitation: Attacker leverages CVE-2026-35273 to execute arbitrary code
  3. Privilege Escalation: Gains system-level access through the underlying PeopleTools framework
  4. Lateral Movement: Moves across the PeopleSoft environment and potentially to connected systems
  5. Objective: Data exfiltration, ransomware deployment, or establishing persistence

Detection & Response

Given the critical nature of this vulnerability and its active exploitation status, organizations must immediately implement detection mechanisms to identify potential compromise attempts. Below are detection rules and hunt queries tailored for this specific threat.

SIGMA Rules

YAML
---
title: Potential CVE-2026-35273 Exploitation - PeopleTools Suspicious Request Pattern
id: 8a7b9c4d-3e5f-4a2b-8d1e-5f6a7b8c9d0e
status: experimental
description: Detects potential exploitation of CVE-2026-35273 in Oracle PeopleSoft Enterprise PeopleTools based on suspicious HTTP request patterns to known vulnerable endpoints.
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.35273
logsource:
  category: web_access
  product: webserver
detection:
  selection:
    c-uri|contains:
      - '/psc/ps/'
      - '/EMPLOYEE/PSFT_HR/'
      - '/PORTAL.HTML'
    cs-method: POST
    cs-uri-query|contains:
      - 'ICType='
      - 'ICElementNumber='
      - 'PortalRegistryName='
  filter_main:
    sc-status:
      - 200
      - 500
  timeframe: 5m
condition: selection and filter_main | count() > 20
falsepositives:
  - High-volume legitimate PeopleTools usage during batch processing
level: high
---
title: PeopleTools Process Spawning Suspicious Child Process
id: 1d2e3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects potential code execution through CVE-2026-35273 by monitoring for suspicious child processes spawned by PeopleTools-related parent processes.
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.execution
  - attack.t1059
  - cve.2026.35273
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\psappsrv.exe'
      - '\psprcsrv.exe'
      - '\pssrchsrv.exe'
      - '\PSNTSVR.EXE'
  filter_legit:
    Image|contains:
      - '\psappsrv.exe'
      - '\psprcsrv.exe'
      - '\psadmin.exe'
      - '\java.exe'
  filter_tech:
    Image|contains:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection and filter_legit and filter_tech
falsepositives:
  - Legitimate administrative maintenance activities
  - Custom integration scripts
level: critical
---
title: Unusual PeopleTools Database Access Patterns
id: 7f8e9d0c-1b2a-3c4d-5e6f-7a8b9c0d1e2f
status: experimental
description: Detects potential data exfiltration following CVE-2026-35273 exploitation by monitoring for unusual database access patterns from PeopleTools application servers.
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.exfiltration
  - attack.t1078
  - cve.2026.35273
logsource:
  category: database
  product: oracle
detection:
  selection:
    program_name|contains:
      - 'PSAPPSRV'
      - 'PSPRCSRV'
  selection_time:
    query_time|re: '(02|03|04|05):[0-5][0-9]:[0-5][0-9]'
  selection_operation:
    sql_operation:
      - 'SELECT'
      - 'EXPORT'
  selection_tables:
    sql_text|contains:
      - 'PSOPRDEFN'
      - 'PSPERSONAL_DATA'
      - 'PSPNLNAME'
      - 'PSROLEUSER'
  condition: selection and selection_time and selection_operation and selection_tables
falsepositives:
  - Scheduled report generation during off-hours
  - Legitimate data export operations
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for potential CVE-2026-35273 exploitation in PeopleTools
// Monitor for suspicious web access patterns to PeopleTools endpoints
let PeopleToolsEndpoints = dynamic(["/psc/ps/", "/EMPLOYEE/PSFT_HR/", "/PORTAL.HTML", "/s/WEBLIB_PTBR.ISCRIPT1.FieldFormula.IScript_GetImage"]);
let TimeFrame = 1d;
let HighVolumeThreshold = 50;

CommonSecurityLog
| where TimeGenerated >= ago(TimeFrame)
| where RequestURL has_any(PeopleToolsEndpoints)
| where RequestMethod == "POST"
| where DeviceVendor contains "Oracle" or DeviceProduct contains "PeopleSoft"
| extend suspicious_indicators = pack_all()
| summarize count(), make_set(RequestURL), make_set(SourceIP), make_set(DestinationIP), min(TimeGenerated), max(TimeGenerated) by DeviceProduct, SuspiciousActivity = iff(count_ > HighVolumeThreshold, "High Volume Potential Exploitation", "Normal")
| where SuspiciousActivity == "High Volume Potential Exploitation"
| order by count_ desc
| extend Recommendation = "Isolate affected PeopleTools server, review access logs for successful exploitation, apply Oracle patches for CVE-2026-35273 immediately"

// Monitor for suspicious process execution from PeopleTools services
DeviceProcessEvents
| where TimeGenerated >= ago(TimeFrame)
| where InitiatingProcessFileName in~ ("psappsrv.exe", "psprcsrv.exe", "pssrchsrv.exe", "PSNTSVR.EXE")
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "reg.exe", "whoami.exe", "net.exe", "net1.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessFileName, ProcessCommandLine
| extend Recommendation = "Potential code execution via CVE-2026-35273. Capture memory image of affected process, terminate if suspicious, initiate incident response"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for potential CVE-2026-35273 exploitation indicators on Windows endpoints
-- This artifact checks for suspicious process execution from PeopleTools services

SELECT Pid, Ppid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE Name =~ '(psappsrv|psprcsrv|pssrchsrv|PSNTSVR)\.exe'
  AND Pid IN (
    SELECT ParentPid
    FROM pslist()
    WHERE Name =~ '(cmd|powershell|pwsh|wscript|cscript|reg|whoami|net|net1)\.exe'
  )

-- Check for suspicious modifications to PeopleTools directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="/*PeopleTools*/" + "**/*")
WHERE Mtime > now() - timedelta(hours=24)
  AND NOT FullPath =~ '(\.log|\.tmp|\.cache)'

-- Review network connections from PeopleTools processes
SELECT Pid, Family, RemoteAddr, RemotePort, State, Uid, StartTime
FROM netstat()
WHERE Pid IN (
    SELECT Pid
    FROM pslist()
    WHERE Name =~ '(psappsrv|psprcsrv|pssrchsrv|PSNTSVR)\.exe'
  )
  AND State =~ '(ESTABLISHED|CLOSE_WAIT)'
  AND RemotePort NOT IN (80, 443, 1521, 1522, 1526)

Remediation Script

PowerShell
# Script to verify Oracle PeopleTools patch status for CVE-2026-35273
# Run with appropriate administrative privileges

# Define registry key path for PeopleSoft installations
$regPath = "HKLM:\SOFTWARE\Oracle\PeopleTools"

# Function to check PeopleTools version
function Get-PeopleToolsVersion {
    $versions = @()
    if (Test-Path $regPath) {
        Get-ChildItem $regPath | ForEach-Object {
            $installPath = (Get-ItemProperty $_.PSPath).InstallPath
            if ($installPath -and (Test-Path "$installPath\bin\psappsrv.exe")) {
                $fileInfo = Get-Item "$installPath\bin\psappsrv.exe"
                $versions += [PSCustomObject]@{
                    InstallationPath = $installPath
                    Version = $fileInfo.VersionInfo.FileVersion
                    LastModified = $fileInfo.LastWriteTime
                    IsVulnerable = $fileInfo.VersionInfo.FileVersion -lt "8.60.10"  # Update with actual patched version
                }
            }
        }
    }
    return $versions
}

# Function to check for signs of potential exploitation
function Test-PeopleToolsExploitationIndicators {
    $indicators = @()
    
    # Check for suspicious process execution
    $suspiciousProcesses = Get-WmiObject Win32_Process |
        Where-Object { $_.Name -match "(psappsrv|psprcsrv|pssrchsrv)\.exe" } |
        ForEach-Object { 
            $children = Get-WmiObject Win32_Process -Filter "ParentProcessId=$($_.ProcessId)"
            if ($children.Name -match "(cmd|powershell|pwsh|wscript|cscript)\.exe") {
                $indicators += [PSCustomObject]@{
                    IndicatorType = "Suspicious Child Process"
                    Details = "$($_.Name) (PID: $($_.ProcessId)) spawned $($children.Name) (PID: $($children.ProcessId))"
                }
            }
        }
    
    # Check for recent file modifications in PeopleTools directories
    $peopleToolsDirs = Get-ChildItem -Path "C:\*PeopleTools*" -Directory -ErrorAction SilentlyContinue
    foreach ($dir in $peopleToolsDirs) {
        $recentFiles = Get-ChildItem -Path $dir.FullName -Recurse -File -ErrorAction SilentlyContinue |
            Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(24) -and $_.Extension -notin ".log", ".tmp" }
        
        if ($recentFiles.Count -gt 0) {
            $indicators += [PSCustomObject]@{
                IndicatorType = "Recent File Modifications"
                Details = "$($recentFiles.Count) files modified in $($dir.FullName) in the last 24 hours"
            }
        }
    }
    
    return $indicators
}

# Main execution
Write-Host "Checking Oracle PeopleSoft Enterprise PeopleTools for CVE-2026-35273..." -ForegroundColor Yellow

$versions = Get-PeopleToolsVersion
if ($versions.Count -eq 0) {
    Write-Host "No PeopleTools installations found on this system." -ForegroundColor Green
} else {
    Write-Host "Found $($versions.Count) PeopleTools installation(s):" -ForegroundColor Cyan
    $versions | Format-Table -AutoSize
    
    $vulnerable = $versions | Where-Object { $_.IsVulnerable }
    if ($vulnerable) {
        Write-Host "VULNERABLE: Unpatched PeopleTools installations detected. Apply Oracle patch for CVE-2026-35273 immediately." -ForegroundColor Red
        
        # Check for exploitation indicators
        Write-Host "Checking for signs of potential exploitation..." -ForegroundColor Yellow
        $indicators = Test-PeopleToolsExploitationIndicators
        
        if ($indicators.Count -gt 0) {
            Write-Host "WARNING: Potential exploitation indicators detected:" -ForegroundColor Red
            $indicators | Format-Table -AutoSize
            Write-Host "IMMEDIATE ACTION REQUIRED: Isolate this system and initiate incident response procedures." -ForegroundColor Red
        } else {
            Write-Host "No obvious signs of exploitation detected at this time." -ForegroundColor Green
        }
    } else {
        Write-Host "All installed PeopleTools versions appear to be patched against CVE-2026-35273." -ForegroundColor Green
    }
}

Write-Host "For official Oracle patches and guidance, visit: https://www.oracle.com/security-alerts/" -ForegroundColor Cyan
Write-Host "For CISA KEV requirements, visit: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" -ForegroundColor Cyan

Remediation

Immediate Actions Required

  1. Apply Oracle Security Patch

    • Oracle has released patches for CVE-2026-35273 in the April 2026 Critical Patch Update
    • Identify all PeopleTools instances in your environment (including development, test, and production)
    • Apply the appropriate patch based on your PeopleTools version immediately
    • Federal Agency Deadline: As per CISA BOD 22-01, federal civilian agencies must patch by April 28, 2026
    • All Organizations Recommendation: Apply patches immediately, regardless of federal compliance status

  2. Temporary Mitigations (if patching cannot be completed immediately)

    • Restrict network access to PeopleTools endpoints to trusted IP ranges only
    • Implement WAF rules to block exploitation attempts
    • Disable non-essential PeopleTools web interfaces until patching is complete
    • Increase monitoring frequency for suspicious activity

  3. Post-Patching Verification

    • Verify successful patch installation using the provided PowerShell script
    • Run security validation tests to confirm the vulnerability is remediated
    • Review access logs during the vulnerable period for signs of exploitation

  4. Incident Response Preparation

    • If you cannot confirm whether exploitation occurred during the vulnerable period
    • Conduct a forensic review of PeopleTools application servers
    • Rotate credentials for privileged PeopleSoft accounts as a precaution
    • Review database access logs for unusual query patterns

Official Vendor Resources

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureoracle-peoplesoftcve-2026-35273cisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action