Oracle Emergency Security Update to Fix Critical RCE Vulnerability

Oracle has released an emergency Security Alert, addressing a critical remote code execution vulnerability (CVE-2026-35273) within PeopleSoft Enterprise PeopleTools.

The vulnerability carries a CVSS v3.1 score of 9.8, highlighting its severity and the urgent need for remediation across enterprise environments.

The flaw resides in the Updates Environment Management component of PeopleSoft PeopleTools and can be exploited remotely over HTTP.

It does not require authentication or user interaction, making it particularly dangerous for internet-facing systems.

Oracle confirmed that successful exploitation could allow attackers to execute arbitrary code, potentially leading to full system compromise.

Security researchers from TrendAI Zero Day Initiative, including Bobby Gould, Lucas Miller, and Minh Giang, were credited with discovering and reporting the vulnerability.

Their findings indicate that the attack complexity is low, which increases the likelihood of active exploitation attempts in the wild. The vulnerability impacts PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.

Oracle Emergency Security Update

Oracle also warned that earlier or unsupported versions may be affected, even though they have not been formally tested.

Since patches are only released for supported versions under Premier or Extended Support, organizations running outdated systems face additional risk if they do not upgrade.

From a technical standpoint, the vulnerability allows network-based attacks without requiring any privileges.

It affects confidentiality, integrity, and availability at a high level, meaning attackers could access sensitive data, modify system configurations, or disrupt services entirely.

In a real-world scenario, a publicly exposed PeopleSoft instance could be compromised to deploy malicious payloads or facilitate lateral movement within a corporate network.

Oracle has released patches and mitigation guidance as part of the Security Alert and strongly recommends immediate action.

Organizations should prioritize applying the available updates, restrict external access to PeopleSoft environments, and monitor systems for suspicious activity.

Maintaining systems on supported versions is also critical to ensure continued access to security updates.

This issue underscores the ongoing threat posed by unauthenticated RCE vulnerabilities in widely deployed enterprise software.

Given PeopleSoft’s role in managing critical business operations such as HR and finance, exploitation of this flaw could have significant operational and data security consequences.

Organizations are advised to treat CVE-2026-35273 as a high-priority risk and take swift steps to secure their infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.