CISA Adds One Known Exploited Vulnerability to Catalog (CVE-2026-35273)

What Happened

CISA has issued an alert regarding a newly exploited vulnerability in Oracle PeopleSoft Enterprise PeopleTools. This software flaw allows attackers to bypass authentication and access critical functions without a password. Because it is actively being used in attacks, CISA has added it to their mandatory patch list for federal agencies. All organizations using this software should apply the necessary security updates immediately and check their systems for signs of a breach.

Key Takeaways

• CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation.
• The vulnerability affects Oracle PeopleSoft Enterprise PeopleTools and involves missing authentication for a critical function.
• Federal Civilian Executive Branch (FCEB) agencies must prioritize rapid remediation under Binding Operational Directive (BOD) 26-04.
• Organizations are advised to check if threat actors compromised the system before applying the patch.

Affected Systems

• Oracle PeopleSoft Enterprise PeopleTools

Vulnerabilities (CVEs)

• CVE-2026-35273

Attack Chain

Threat actors are actively exploiting CVE-2026-35273, a missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools. By bypassing authentication mechanisms, attackers can access critical functions within the application. This unauthorized access likely facilitates further compromise or total control of the publicly exposed asset.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — EDR solutions typically do not have direct visibility into web application authentication bypasses unless they monitor the specific web server processes for anomalous child processes or file drops post-exploitation. Network Visibility: Medium — Network monitoring or Web Application Firewalls (WAF) may detect anomalous HTTP requests targeting critical PeopleSoft endpoints. Detection Difficulty: Moderate — Detecting this vulnerability requires a baseline of normal authentication traffic to PeopleSoft to identify bypass attempts or unauthorized access to critical functions.

Required Log Sources

• Web Server Access Logs
• Application Logs
• WAF Logs

Hunting Hypotheses

Control Gaps

• Exposure of critical PeopleSoft interfaces to the public internet
• Lack of WAF rules specifically targeting PeopleSoft authentication bypass attempts

Key Behavioral Indicators

• Anomalous HTTP requests to PeopleTools endpoints without prior authentication tokens or valid session cookies.

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Identify all instances of Oracle PeopleSoft Enterprise PeopleTools in your environment.
• Apply the vendor-supplied patch for CVE-2026-35273 immediately.
• Check systems for signs of compromise prior to patching, as recommended by CISA BOD 26-04 guidelines.

Infrastructure Hardening

• Evaluate whether Oracle PeopleSoft interfaces need to be exposed to the public internet, and consider restricting access via VPN or IP allowlisting.
• Ensure Web Application Firewalls (WAF) are deployed and configured to inspect traffic to PeopleSoft applications.

User Protection

• N/A

Security Awareness

• Consider incorporating risk-based vulnerability management principles into organizational patching policies to prioritize actively exploited flaws.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1068 - Exploitation for Privilege Escalation