Published Friday, June 12, 2026 at 09:59 AM PT

🚨 BREAKING: CRITICAL ORACLE PEOPLESOFT RCE VULNERABILITY β€” PATCH IMMEDIATELY

BLUF: Oracle has disclosed CVE-2026-35273, a CVSS 9.8 unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools. An out-of-band patch was released June 10, 2026. All organizations running affected PeopleSoft PeopleTools versions should apply the patch immediately.

DETAILS

  • CVE-2026-35273 affects the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools
  • CVSSv3.1 base score: 9.8 (Critical) β€” remotely exploitable with no authentication required
  • Successful exploitation may result in remote code execution (RCE); full impact scope is not yet confirmed in available reporting
  • Oracle issued an out-of-band security alert on June 10, 2026 β€” outside its standard quarterly CPU cycle β€” indicating elevated urgency
  • No confirmed in-the-wild exploitation has been reported at time of publication; exploitation status is unconfirmed

IMPACT

  • Affected: Organizations running Oracle PeopleSoft Enterprise PeopleTools with the Updates Environment Management component exposed β€” commonly used in HR, finance, and ERP environments across enterprise and public sector
  • Scope: Network-accessible PeopleSoft instances are at highest risk; internet-facing deployments should be treated as priority
  • Potential consequence: Full system compromise via unauthenticated RCE; lateral movement and data exfiltration are plausible follow-on risks
  • ⚠️ Specific affected version ranges not confirmed in available details β€” consult Oracle’s advisory directly
  1. Apply Oracle’s out-of-band patch immediately β€” available as of June 10, 2026 via Oracle’s support portal
  2. Audit exposure β€” identify all PeopleSoft PeopleTools instances, particularly any internet-facing or externally accessible deployments
  3. Restrict network access to the Updates Environment Management component where patching cannot be immediately applied
  4. Monitor for exploitation indicators β€” review logs for anomalous unauthenticated access attempts against PeopleSoft endpoints
  5. Escalate to system owners and patch management teams now β€” do not wait for next scheduled maintenance window

SOURCES

  • Rapid7 Security Advisory (June 10, 2026)
  • Oracle Security Alert β€” CVE-2026-35273 (June 10, 2026)

⚠️ NOTE: Specific affected version numbers and confirmed exploitation status were not available in source material at time of publication. Verify scope against Oracle’s official advisory.