CISA KEV Alert: CVE-2026-35273 Oracle PeopleSoft Authentication Bypass Now Actively Exploited
What the new CISA Known Exploited Vulnerability catalog addition means for your vulnerability management program — and your compliance posture
Published 2026-06-13
# CISA KEV Alert: CVE-2026-35273 Oracle PeopleSoft Authentication Bypass Now Actively Exploited
On June 12, 2026, CISA added CVE-2026-35273 — an Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog, confirming evidence of active exploitation in the wild.
What Happened and What the Rule Requires
CVE-2026-35273 affects Oracle PeopleSoft Enterprise PeopleTools and falls into a particularly dangerous vulnerability class: missing authentication for a critical function. When authentication gates are absent on high-value functions, attackers can interact directly with privileged capabilities — no credential theft required. CISA's KEV listing confirms threat actors are already taking advantage of this.
For Federal Civilian Executive Branch (FCEB) agencies, Binding Operational Directive BOD 26-04 mandates rapid remediation of KEV-listed vulnerabilities based on risk tiering. BOD 26-04 supersedes BOD 22-01 and sharpens the requirement: agencies must have a documented, risk-prioritized patching process tied directly to the KEV Catalog — not just a periodic patch cycle.
For commercial organizations, this advisory carries equal urgency. If Oracle PeopleSoft is in scope for any of your compliance frameworks — NIS2, SOC 2, ISO 27001, HIPAA, or PCI DSS — an unpatched KEV-listed vulnerability is a material control gap that auditors, regulators, and cyber insurers will scrutinize.
Why It Matters Across Your Compliance Frameworks
Missing authentication vulnerabilities are not subtle misconfigurations. They represent a fundamental breakdown in access control — a foundational requirement across all major frameworks:
- NIS2 Article 21 requires essential and important entities to implement vulnerability handling and patch management as part of their risk management measures.
- SOC 2 CC6.1 / CC7.1 expects logical access controls and monitoring of vulnerabilities that could affect system availability and confidentiality.
- ISO 27001 Annex A 8.8 mandates timely identification and remediation of technical vulnerabilities.
- HIPAA Security Rule § 164.308(a)(5) requires protection from malicious software and regular review of audit logs — both directly relevant when authentication is bypassed.
- PCI DSS Requirement 6.3 demands that security vulnerabilities are identified and ranked, with high-risk vulnerabilities addressed within defined timeframes.
A single KEV-listed vulnerability in your Oracle PeopleSoft environment could simultaneously trigger findings under multiple frameworks at once, compounding both regulatory exposure and breach liability.
What You Should Do in the Next 7–30 Days
Within 7 days:
- Identify every Oracle PeopleSoft Enterprise PeopleTools instance in your environment — on-premises and hosted.
- Confirm whether the affected PeopleTools version is in use and assess internet or network exposure of those systems.
- Initiate emergency change management to apply Oracle's available patch or workaround for CVE-2026-35273.
- Validate that network segmentation and authentication controls are enforced at the perimeter of PeopleSoft environments as a compensating control while patching proceeds.
Within 30 days:
- Document remediation evidence mapped to each applicable framework control (NIS2, SOC 2, ISO 27001, HIPAA, PCI DSS).
- Review your KEV tracking process to ensure BOD 26-04-aligned prioritization is embedded in your vulnerability management program.
- Run a full authenticated scan across ERP and HR platforms to surface any additional missing-authentication exposures.
- Update your risk register and notify your compliance lead of this KEV addition.
Start Your 14-Day Free Trial — Every Feature Unlocked
RDS GoSOC AI gives your team a unified control plane to track KEV alerts, map vulnerabilities to all 16 supported frameworks — including NIS2, SOC 2, ISO 27001, HIPAA, and PCI DSS — and generate audit-ready evidence automatically. Register for a 14-day free trial at platform.reremrdsgosoc.com/register: no credit card required, every paid feature fully unlocked from day one. Once inside, open the User Guide tab to orient your team, and ask Sage — the platform's built-in AI assistant — how to map CVE-2026-35273 remediation evidence to your specific active frameworks. Time-to-compliance drops dramatically when your SOC and GRC functions work from the same real-time data.