Skip to main content

PeopleSoft PeopleTools CVE-2026-35273

| EUVD-2026-36199 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-11 oracle GHSA-25mw-359m-f6rj
Oracle Authentication Bypass Peoplesoft Enterprise Peopletools
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle states unauthenticated HTTP exploitation with low complexity yielding full product takeover, supporting AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Added to CISA KEV
Jun 12, 2026 - 18:01 CISA
Analysis Generated
Jun 11, 2026 - 03:41 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Articles & Coverage 1

POC CVE-2026-35273: Unauthenticated RCE in Oracle PeopleSoft PeopleTools 8.61/8.62 (CVSS 9.8) Jun 12, 2026

AnalysisAI

Remote takeover of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 is possible through the Updates Environment Management component via unauthenticated HTTP requests. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network-based exploitation against any internet- or intranet-exposed instance, with full confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed PeopleSoft PIA endpoint
Delivery
Fingerprint PeopleTools 8.61/8.62 version
Exploit
Send crafted HTTP request to Updates Environment Management
Execution
Achieve unauthenticated takeover of PeopleTools
Impact
Pivot to ERP database and HR/finance data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be running Oracle PeopleSoft Enterprise PeopleTools version 8.61 or 8.62 with the Updates Environment Management component reachable over HTTP from the attacker's network position; no authentication, user interaction, or non-default configuration is required (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to high priority: CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means a remote, unauthenticated attacker can exploit over HTTP with low complexity and no user interaction, and Oracle itself characterizes the flaw as 'easily exploitable' resulting in product takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans an organization's external or VPN-reachable IP ranges, identifies a PeopleSoft PIA web tier running PeopleTools 8.61 or 8.62, and sends a crafted unauthenticated HTTP request to the Updates Environment Management component. The single request yields full takeover of the PeopleTools instance, giving the attacker control over ERP application servers, access to HR/finance data, and a foothold to pivot into the Oracle database tier. …
Remediation Apply the fix from Oracle's out-of-cycle security alert at https://www.oracle.com/security-alerts/alert-cve-2026-35273.html as the primary remediation; consult the alert for the exact PeopleTools patch identifiers corresponding to your 8.61 or 8.62 deployment, as exact fix version numbers were not provided in the input data (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances across production and non-production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35273 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy