CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2026-35273

CVSS 9.8v3.1pub. 2026-06-11upd. 2026-06-12

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function), meaning that critical functions of the Updates Environment Management component are accessible without any authentication. An attacker with network access to the system can send HTTP requests without providing credentials and gain full access to sensitive operations. The flaw is easy to exploit — it does not require special privileges or user interaction.

Impact

A successful attack leads to complete takeover of the PeopleSoft Enterprise PeopleTools system, including violation of confidentiality, integrity, and availability of data (C:H/I:H/A:H). An attacker can read, modify, or delete data, as well as cause system unavailability (DoS).

Mitigation & patch

Patches released by Oracle must be applied immediately in accordance with the security alert available at https://www.oracle.com/security-alerts/alert-cve-2026-35273.html. Due to active exploitation of the vulnerability in the wild, the update should be deployed with priority. Until the patch is installed, it is recommended to restrict network access to the Updates Environment Management component exclusively to trusted IP addresses.

Who is affected

Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oracle Peoplesoft Enterprise Peopletools

    APP
    Oracle
    8.618.62

CISA KEV — detailsi

Vendori
Oracle
Producti
PeopleSoft Enterprise PeopleTools
Added to KEVi
June 12, 2026
Remediation deadline (US Federal)i
June 15, 2026(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CISA descriptioni

Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 15 czerwca 2026
Tags
Auth BypassDoS
CWE
References

Related vulnerabilities

CVE-2019-2725CRITICAL9.8⚠ KEVten sam produkt

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)...

CVE-2022-21543CRITICAL9.8ten sam produkt

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Enviro...

CVE-2021-3711CRITICAL9.8ten sam produkt

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt()....

CVE-2021-22931CRITICAL9.8ten sam produkt

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes d...

CVE-2021-23926CRITICAL9.1ten sam produkt

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user fro...