COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-35273

CVE-2026-35273

Severity
critical · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-06-12
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-35273
⚡ RCE ⌖ exploited in the wild shame 85/100 ransomwareexploited-in-wildunpatchedauth-bypassdata-breachnegligence

Oracle PeopleTools lacks authentication for critical functions, enabling unauthenticated attackers to gain full system control.

This critical vulnerability allows unauthenticated attackers to take over PeopleSoft Enterprise PeopleTools, a widely used ERP component in defense systems. The absence of authentication controls for critical functions creates a severe risk of data exfiltration and system compromise for DIB organizations relying on Oracle PeopleSoft. Immediate patching and network segmentation are required to mitigate this active exploitation threat.

Shame score — A critical authentication bypass in a widely deployed ERP system that enables unauthenticated takeover, directly linked to ransomware exploitation.

Players implicated

Oracle · vendor PeopleSoft Enterprise PeopleTools · product

Description

Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

Affected FedRAMP products 10 in the catalog

ProductProviderStatusMatch
Aconex for Defense Oracle Authorized vendor-exact · 0.90
Federal Managed Cloud Services Oracle Authorized vendor-exact · 0.90
Fusion Cloud Oracle Authorized vendor-exact · 0.90
Government Cloud - Common Controls Oracle Authorized vendor-exact · 0.90
Oracle Cloud Infrastructure-Government Cloud Oracle Authorized vendor-exact · 0.90
Oracle Enterprise Performance Management (EPM) Oracle Authorized vendor-exact · 0.90
Oracle Enterprise Performance Management (EPM) - Moderate Oracle In Process vendor-exact · 0.90
Oracle Service Cloud Oracle Authorized vendor-exact · 0.90
Oracle Service Cloud (DOD) Oracle Authorized vendor-exact · 0.90
Taleo Cloud - U.S. Government Cloud Oracle Authorized vendor-exact · 0.90