ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-35273, Unauthenticated RCE in Oracle PeopleSoft PeopleTools Updates Environment Management

A brief summary of CVE-2026-35273, a CVSS 9.8 unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools affecting versions 8.61 and 8.62, along with patch information and threat intelligence context.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-10

Quick Look: CVE-2026-35273, Unauthenticated RCE in Oracle PeopleSoft PeopleTools Updates Environment Management
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Oracle issued a rare out-of-cycle Security Alert on June 10, 2026 for a CVSS 9.8 unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools, a move Oracle reserves for flaws it considers too dangerous to wait for the next quarterly patch cycle. For the thousands of enterprises running PeopleSoft to manage payroll, HR, financials, and student records, CVE-2026-35273 represents a direct path from the network to full system compromise with no credentials required.

Technical Information

Vulnerability Overview

CVE-2026-35273 affects the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. This component is responsible for managing environment configuration and update deployment across PeopleSoft instances. Critically, it exposes HTTP interfaces that can be reached without authentication, which forms the basis of this vulnerability.

Oracle's advisory explicitly states that successful exploitation "may result in remote code execution," and the NVD description confirms that attacks "can result in takeover of PeopleSoft Enterprise PeopleTools."

CVSS v3.1 Scoring Breakdown

The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H breaks down as follows:

MetricValueMeaning
Attack VectorNetworkExploitable remotely over HTTP
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo victim action required
ScopeUnchangedImpact confined to the vulnerable component
ConfidentialityHighTotal information disclosure
IntegrityHighTotal system compromise
AvailabilityHighTotal denial of service possible

This combination of metrics represents a worst case network vulnerability. An unauthenticated attacker can send a crafted HTTP request to compromise the system with no barriers to exploitation.

Probable Root Cause: Java Deserialization

While Oracle does not publicly disclose the technical internals of its vulnerabilities, the advisory references the JEP 290 Reference Blocklist Filter as an additional resource for managing related deserialization risks. JEP 290 (Filter Incoming Serialization Data) is a Java Enhancement Proposal that provides a mechanism for validating incoming serialized objects before they are deserialized, specifying which classes are acceptable and which should be rejected.

This reference strongly suggests the vulnerability involves a Java deserialization attack vector. This class of vulnerability has been historically devastating in Oracle middleware products, particularly those built on WebLogic and Tuxedo, both of which underpin PeopleSoft's architecture.

PeopleSoft Architecture and Attack Surface

PeopleSoft uses a three tier Pure Internet Architecture (PIA):

  1. Web server tier: Oracle WebLogic Server
  2. Application server tier: Oracle Tuxedo
  3. Database tier: Oracle Database

The PeopleTools layer spans all three tiers and has historically been a high value attack surface. The Updates Environment Management component sits within this architecture and, based on the vulnerability characteristics, appears to accept serialized Java objects over HTTP without proper authentication or input validation.

Attack Flow

Based on the available technical details, the likely exploitation path is:

  1. An attacker identifies an internet facing or network accessible PeopleSoft instance (common for employee self service portals).
  2. The attacker sends a crafted HTTP request to the Updates Environment Management component's endpoint.
  3. The request contains a malicious serialized Java object that bypasses any existing deserialization filters.
  4. The PeopleSoft application server deserializes the object, triggering arbitrary code execution in the context of the application server process.
  5. The attacker gains full control over the PeopleSoft instance, including access to all managed data (payroll, HR records, financial data) and the ability to pivot to connected database and application tiers.

No authentication is required at any step. No user interaction is needed. The attack complexity is low.

Escalation Pattern in PeopleTools Vulnerabilities

CVE-2026-35273 represents a notable escalation in the PeopleTools vulnerability landscape. Recent CVEs affecting the same versions (8.61 and 8.62) have progressively lowered the authentication barrier:

CVE IDComponentPrivileges RequiredCVSS
CVE-2025-30697Panel ProcessorLowNot specified
CVE-2025-53061Not specifiedHighNot specified
CVE-2025-61750Not specifiedLowNot specified
CVE-2026-34307WorkflowLowNot specified
CVE-2026-35273Updates Environment MgmtNone9.8

The shift from low privileged or high privileged exploitation to fully unauthenticated exploitation is significant. It suggests either that the codebase contains multiple related vulnerability classes, or that researchers are systematically probing the same attack surfaces with increasing success.

Patch Information

Oracle addressed CVE-2026-35273 through a dedicated Security Alert released on June 10, 2026 (Revision 1). This was issued as a standalone out of band alert rather than part of a regularly scheduled Critical Patch Update, which is a strong signal of how seriously Oracle viewed the severity.

The fix applies to the two supported versions of PeopleSoft Enterprise PeopleTools: 8.61 and 8.62. Oracle published the patch under Patch Availability Document CPU187, accessible via My Oracle Support.

Key details for patch application:

  • Where to get the patch: Log into My Oracle Support and navigate to Patch Availability Document CPU187.
  • How to apply: PeopleTools patches are applied using Oracle's Change Assistant tool. Select Tools, Change Actions, then Update Manager, and follow the guided workflow.
  • Support coverage requirement: Patches are only provided for product versions covered under Oracle's Premier Support or Extended Support phases. Organizations running older, unsupported versions of PeopleTools will not receive an official fix and must upgrade to a supported release (8.61 or 8.62) before applying the patch.
  • Oracle's recommendation: Treat the implementation of this patch as a "high priority risk reduction measure" and apply it without delay.

The vulnerability was credited to three researchers: Bobby Gould and Minh Giang of TrendAI Zero Day Initiative, and Lucas Miller of TrendAI Research. The coordinated disclosure through ZDI and the resulting out of band alert underscore the real world exploitability of this flaw.

As a supplementary defense in depth measure, organizations should consider configuring JEP 290 serialization filters on PeopleSoft application server JVMs. This provides an additional layer of protection against deserialization based attacks, though it is not a replacement for the official patch. Additionally, restricting network access to PeopleSoft HTTP endpoints to authorized internal networks and VPN connections is an essential interim measure given the HTTP based attack vector.

Affected Systems and Versions

The following versions of Oracle PeopleSoft Enterprise PeopleTools are confirmed affected:

  • PeopleSoft Enterprise PeopleTools 8.61
  • PeopleSoft Enterprise PeopleTools 8.62

The vulnerable component is Updates Environment Management.

Oracle's advisory also notes that PeopleSoft Enterprise Applications customers may be at risk, extending the blast radius beyond the core PeopleTools product. Any PeopleSoft deployment using PeopleTools 8.61 or 8.62 with HTTP accessible Updates Environment Management endpoints is vulnerable.

Organizations running PeopleTools versions prior to 8.61 are outside the scope of the official patch but should assume they are also affected, as Oracle's advisory warns that earlier versions are likely vulnerable.

Vendor Security History

Oracle PeopleSoft has a well documented history of security vulnerabilities in its PeopleTools layer:

  • CVE-2017-3548 (2017): An XML External Entity (XXE) vulnerability in the PeopleSoftServiceListeningConnector allowed attackers to send specially crafted unauthorized XML requests processed by the XML parser.

  • PS_TOKEN and Node Password attacks (2015): Researchers at HITB demonstrated that the PS_TOKEN cookie trust mechanism and Node password could be compromised for full system access. This research was recognized in the Top 10 Web Hacking Techniques of 2012.

  • Multiple 2025 and 2026 PeopleTools CVEs: A series of vulnerabilities affecting PeopleTools 8.61 and 8.62, including CVE-2025-30697 (Panel Processor), CVE-2025-53061, CVE-2025-61750, and CVE-2026-34307 (Workflow), demonstrate ongoing security challenges in this codebase.

Oracle's quarterly Critical Patch Updates routinely address hundreds of vulnerabilities across its product portfolio. The May 2026 CPU alone addressed over 300 vulnerabilities. The increasing frequency of out of cycle Security Alerts for PeopleSoft and enterprise application vulnerabilities (including CVE-2026-21992 earlier in 2026) suggests that the standard quarterly patch cycle may not be sufficient for the pace of vulnerability discovery in Oracle's enterprise products.

From a threat actor perspective, the Cl0p ransomware group has recently exploited Oracle E-Business Suite vulnerabilities (including CVE-2025-61882) for account takeover and data exfiltration campaigns, establishing a clear precedent that sophisticated threat actors are actively targeting Oracle's enterprise application ecosystem. While no confirmed in the wild exploitation of CVE-2026-35273 has been reported as of June 11, 2026, CISA has been actively adding Oracle vulnerabilities to the Known Exploited Vulnerabilities catalog throughout June 2026, including CVE-2024-21182 (Oracle WebLogic Server) on June 1 and three additional CVEs on June 9.

The combination of trivial exploitation requirements (unauthenticated, low complexity, HTTP based), confirmed RCE impact, and active threat actor interest in Oracle products creates a narrow window for defenders to patch before exploitation begins.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization