## Overview
CISA added CVE-2026-35273 to the KEV catalog on June 12, 2026, citing active ransomware exploitation. Federal agencies have 90 days to remediate. The vulnerability enables full system compromise without authentication.
## Technical Details
The flaw exists in PeopleSoft Enterprise PeopleTools' Updates Environment Management component. Affected versions are 8.61 and 8.62. Attackers require only network access via HTTP. No authentication is needed to trigger the vulnerability. CVSS 3.1 score is 9.8 (Critical) with impacts to confidentiality, integrity, and availability.
## Impact
Successful exploitation results in complete takeover of PeopleSoft Enterprise PeopleTools. Attackers gain full control over the application environment. This enables data exfiltration, system manipulation, or deployment of ransomware payloads without user interaction.
## Mitigation
Apply Oracle's security patch for PeopleSoft PeopleTools 8.61 and 8.62 immediately. Isolate affected systems from public networks if patching is delayed. Monitor for HTTP requests to Updates Environment Management endpoints. Do not rely on network segmentation alone as the vulnerability is easily exploitable over HTTP.
CSURFACE Threat Sensor