Critical Oracle PeopleSoft Authentication Bypass Under Active Exploitation by Ransomware Operators
What Is Happening
A critical missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools (CVE-2026-35273) is under active exploitation. The flaw allows unauthenticated remote attackers to bypass authentication controls entirely and gain administrative access to PeopleSoft environments. Oracle issued an out-of-band security alert on June 10, 2026, ahead of their standard quarterly patch cycle, indicating the severity of in-the-wild exploitation.
Threat actors are actively leveraging this vulnerability as an initial access vector in ransomware campaigns. Security researchers have observed exploitation attempts originating from multiple threat clusters, with post-exploitation activity consistent with both data exfiltration and ransomware deployment. The attacks target internet-exposed PeopleSoft instances, particularly those with PIA (PeopleSoft Internet Architecture) web servers accessible from untrusted networks.
CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities catalog on June 12, 2026, establishing a federal remediation deadline and signaling confirmed exploitation. The combination of trivial exploitability, ransomware association, and the sensitive nature of data typically housed in PeopleSoft deployments (HR records, financial data, payroll information) makes this a priority-zero remediation target.
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| PeopleSoft Enterprise PeopleTools | 8.59 (all patch levels prior to 8.59.14) | Patch Available |
| PeopleSoft Enterprise PeopleTools | 8.60 (all patch levels prior to 8.60.09) | Patch Available |
| PeopleSoft Enterprise PeopleTools | 8.61 (all patch levels prior to 8.61.05) | Patch Available |
| PeopleSoft Enterprise PeopleTools | 8.58 and earlier | End of Premier Support, No Patch |
Oracle addressed this vulnerability in the June 2026 Critical Security Patch Update. The specific patches are:
- PeopleTools 8.59: Update to patch level 8.59.14 or later
- PeopleTools 8.60: Update to patch level 8.60.09 or later
- PeopleTools 8.61: Update to patch level 8.61.05 or later
Patches are available through My Oracle Support (MOS) under Advisory ID 35273. Organizations running PeopleTools 8.58 or earlier must upgrade to a supported version, as these releases are past their support lifecycle and will not receive security updates.
What Being on an Affected Version Means
An attacker exploiting CVE-2026-35273 can bypass PeopleSoft's authentication mechanisms completely, gaining access to the application as an administrative user without valid credentials. From this position, the attacker has full read and write access to all data within the PeopleSoft environment. This includes employee personal information, Social Security numbers, bank account details for direct deposit, salary and compensation data, and organizational financial records.
The typical attack path observed begins with reconnaissance scanning for exposed PIA web servers on ports 80, 443, or custom ports. Upon identifying a vulnerable instance, attackers send crafted HTTP requests to authentication endpoints that trigger the bypass condition. Once inside, threat actors have been observed exporting bulk data from HR and Finance modules, creating persistent administrative accounts, deploying web shells within the PeopleSoft application server directories, and using the compromised PeopleSoft server as a pivot point to reach database servers and internal network segments. In ransomware scenarios, attackers leverage database connectivity to encrypt both the PeopleSoft application tier and underlying Oracle database.
Mitigation Steps
- Apply the June 2026 CPU patches immediately. Download the appropriate patch from My Oracle Support for your PeopleTools version (8.59.14, 8.60.09, or 8.61.05). Follow Oracle's patching documentation and test in a non-production environment if your change management process permits rapid validation.
- Restrict network access to PIA web servers. If your PeopleSoft deployment does not require public internet access, implement firewall rules or network ACLs to limit inbound connections to known, trusted IP ranges. Place PIA servers behind a VPN or zero-trust network access solution where feasible.
- Disable the Integration Broker gateway if not in use. The vulnerable authentication path involves Integration Broker components. If your organization does not use Integration Broker for external integrations, disable the gateway servlet in your webserver configuration.
- Implement web application firewall rules as a temporary control. If immediate patching is not possible, configure your WAF to block HTTP requests containing the exploit signatures. Look for anomalous POST requests to
/PSIGW/and/psc/endpoints with malformed or missing authentication tokens.
- Monitor for indicators of compromise. Review PeopleSoft application server logs (
APPSRV_MMDD.LOG) and web server access logs for unusual authentication patterns. Specifically, look for successful access to secured components without corresponding entries in thePSACCESSLOGtable. On the network layer, monitor for large outbound data transfers from PeopleSoft servers and new connections to the Oracle database listener (typically port 1521) from unexpected sources.
- Audit administrative accounts and recent configuration changes. Query the
PSOPRDEFNtable for recently created operator IDs and review thePS_AUDITtables for unexpected permission grants or role assignments within the past 30 days.
Organizations running vulnerable PeopleSoft versions with any internet exposure should treat patching as an emergency action; confirmed ransomware campaigns exploiting this vulnerability make delays unacceptable.