A critical security vulnerability affects Oracle’s PeopleSoft Enterprise PeopleTools. Attackers can misuse them without prior registration and end up executing injected malicious code. Admins should update the software quickly.
Read more after the ad
A brief blog entry in Oracle’s security blog points out the gap. An alert outside of the regularly scheduled patch days provides a little more insight. Accordingly, the vulnerability affects Oracle PeopleSoft PeopleTools and possibly Oracle PeopleSoft Enterprise Applications. The risk matrix shows that attackers from the network can exploit the vulnerability with HTTP packets without prior authentication (CVE-2026-35273, CVSS 9.8Risk „critical“).
Oracle does not discuss what such attacks might look like. However, it was reported by Trend Micro’s Zero-Day Initiative (ZDI). Oracle strongly recommends that IT managers address remediation efforts as a high priority. A document containing installation instructions and possible temporary countermeasures requires an Oracle account login.
IT managers should react quickly
The fact that Oracle is issuing a security warning outside of the typical quarterly patch days called “Critical Patch Update” (CPU) and the monthly “Critical Security Patch Update” (CSPU), which was introduced in May, provides an indication of the urgency that the manufacturer sees. Although there is nothing in the security notice to say that the vulnerability has already been attacked, attacks are apparently easy to carry out and the potential damage is great. This may also be the result of the findings from the attacks on security vulnerabilities in Oracle’s e-business suite last fall. Cyber gangs copied sensitive data from companies and then blackmailed them for ransom.
(dmk)
