A critical zero-day vulnerability, CVE-2026-35273, has been discovered in Oracle PeopleSoft, specifically in the Updates Environment Management component of PeopleTools, with a CVSSv3.1 score of 9.8, indicating a high level of severity. The flaw, classified as a server-side request forgery, allows for remote code execution without authentication, making it a significant threat. Oracle released an out-of-band patch on June 10, 2026, emphasizing the need for immediate remediation. Active exploitation of this vulnerability has been reported, expanding the attack surface for vulnerable systems. The vulnerability's remote exploitability without authentication increases the risk of widespread attacks1. This vulnerability matters to practitioners because it demands prompt attention and patching to prevent potential remote code execution attacks, given its high CVSS score and active exploitation.
Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
⚠️ Critical Alert
Why This Matters
CVE-2026-35273 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- Rapid7. (2026, June 12). Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273). Rapid7 Blog. https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273
Original Source
Rapid7 Blog
Read original →