A critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools allows an unauthenticated attacker to take full control of the system due to a missing authentication check on a critical function. This flaw requires no credentials to exploit, making it particularly dangerous for any internet-facing or internally accessible PeopleSoft deployment. CISA has added it to its Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild.

Security Architect’s Take: Immediately apply Oracle’s patch or mitigation guidance, and in the interim restrict network access to PeopleSoft PeopleTools interfaces via firewall rules or VPN — ensuring the application is not exposed to untrusted networks. Audit your environment for any signs of unauthorised access or anomalous activity in PeopleSoft logs since exposure without authentication controls is high-impact.

Original advisory: CVE-2026-35273: Oracle PeopleSoft Enterprise PeopleTools