← Back to Attack Research

No login required on the enterprise front door: unauthenticated RCE in Oracle PeopleSoft PeopleTools

CVE-2026-35273 turns an internet-reachable management endpoint on Oracle PeopleSoft PeopleTools into code execution with no credentials required. It is rated CVSS 9.8, it is in the CISA known-exploited catalog, and the fix is a version and an exposure decision. Here is the mechanism at defender altitude, how to spot it on your perimeter, and what closes it.

An enterprise resource planning platform is supposed to be the system everything else authenticates against. CVE-2026-35273 lets an attacker skip that step entirely. The flaw sits in Oracle PeopleSoft Enterprise PeopleTools, the framework layer under the HCM, Financials, and Campus deployments that run payroll, benefits, and student records for a large share of governments, universities, and enterprises. The class is CWE-306, Missing Authentication for Critical Function: a critical operation that answers a network request without ever asking who is calling. Rated CVSS 9.8, added to the CISA Known Exploited Vulnerabilities catalog on 12 June 2026, it is one of the clearest examples this year of an unauthenticated front door on a system nobody thinks of as a front door.

This piece stays at defender altitude. We do not publish a gadget chain or a working exploit. The goal is to explain, precisely, why this bug is as severe as its score says, how to determine whether your own PeopleSoft estate is exposed, and what closes the gap. Where a public catalog assigns a CVE to a specific build, that is a software vulnerability in the vendor's code, and patching is the fix. What we add is the exposure determination for your perimeter. Verifiable security.

The vulnerability in one paragraph

According to the National Vulnerability Database, CVE-2026-35273 is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle PeopleSoft Enterprise PeopleTools. Read that sentence slowly, because every clause is load-bearing. Unauthenticated means no valid session, no stolen credential, no phishing step. Network access via HTTP means the only prerequisite is the ability to send a web request to the server, the same channel legitimate users already use. Compromise here reaches full code execution, which is why the CVSS 3.1 base score lands at 9.8 Critical. The affected versions named by the advisory are PeopleTools 8.61 and 8.62. The weakness class, Missing Authentication for Critical Function, is the root cause the NVD record and its CWE mapping describe: a function that should have required authentication did not.

The catalog listing matters as much as the score. A CVSS number describes how bad a bug could be. Presence in the CISA known-exploited catalog, where this CVE was added on 12 June 2026, records that the bug is being used against real targets right now. A public-facing PeopleTools 8.61 or 8.62 instance is therefore not a theoretical risk. It is an active one.

How it works, at defender altitude

PeopleTools ships an Environment Management framework, a component that helps administrators discover, track, and coordinate the configuration of the many servers that make up a PeopleSoft deployment. Its hub speaks HTTP so that agents across the environment can report in. That is a normal, useful design, and it is also exactly the kind of internal-management surface that should never have been reachable by a stranger without authentication.

Per Picus Security's analysis, the exploitable mechanism is unsafe Java deserialization reachable at the Environment Management hub endpoint, /PSEMHUB/hub. The path handles a request without requiring authentication and then deserializes attacker-controlled data. Deserialization is the step where a server takes a byte stream and reconstructs it into live in-memory objects. When the bytes come from a trusted source, that is routine. When the bytes come from an anonymous internet caller and the code reconstructs whatever object graph they describe, a crafted stream stops being data and becomes behavior: the reconstruction itself drives execution on the application server. We attribute the /PSEMHUB/hub deserialization detail specifically to Picus Security's analysis; the NVD record itself states the missing-authentication class and the unauthenticated-over-HTTP compromise, not the endpoint.

Structurally, this is the same story enterprise defenders have watched play out on other pre-auth deserialization bugs across collaboration servers, identity products, and security appliances. Two failures stack on one endpoint. First, a critical function skips authentication, so an anonymous caller reaches code that should have been gated (CWE-306). Second, that reachable code reconstructs untrusted objects, so the caller's input becomes the server's actions. Either weakness alone is serious. Together, on an internet-facing management surface, they produce unauthenticated remote code execution on the host that runs the organization's core records.

ANONYMOUS HTTP REQUEST TO A MANAGEMENT HUB attacker --HTTP--> [ /PSEMHUB/hub ] (no auth check: CWE-306) | v [ Java deserializer ] | attacker-controlled byte stream reconstructed | v code execution on the application server designed purpose: internal environment-management coordination actual exposure: reachable pre-auth from the public internet result: unauthenticated remote code execution

Mechanism per Picus Security's analysis; the endpoint detail is theirs, the missing-authentication and unauthenticated-HTTP compromise are the NVD-anchored facts. Illustrative, not from any specific host.

How to recognize your exposure

You can assess this risk without sending a single malicious payload, because the exposure is decided by facts you can read rather than exploit.

  1. Do you run PeopleSoft, and on which PeopleTools build? PeopleTools is the framework under the PeopleSoft applications, and its version is distinct from the application module version teams usually quote. Fingerprint the actual PeopleTools build. Versions 8.61 and 8.62 are the ones named in the advisory.
  2. Is any PeopleSoft surface internet-facing, and does it expose the Environment Management hub? Inventory every externally reachable PeopleSoft portal, and specifically determine whether the /PSEMHUB/hub path or any Environment Management endpoint answers from outside your network. A public portal is expected; a public management hub is the exposure.
  3. Does the version appear in the known-exploited catalog? Cross-reference the fingerprinted build against the CISA catalog entry for CVE-2026-35273. A public-facing, catalog-listed instance is being exploited in the wild by definition, which changes the remediation from a scheduled ticket into an active incident.

A public portal is expected. A public management hub is the exposure. The version is the highest-signal fact you can read without ever sending a payload.

Why the severity is real, and where to be precise

Be exact, because precision is the brand. An unauthenticated deserialization bug on an ERP framework is close to the worst case in vulnerability terms: no credentials, code execution, and the compromised host holds payroll, benefits, financial, and identity data that the rest of the environment trusts. The post-exploitation does not need to be clever, because the position is already central. Where to be careful is scope. Not every PeopleSoft deployment exposes the Environment Management hub to the internet, not every instance runs 8.61 or 8.62, and a patched or internal-only hub carries a small fraction of the risk. The work is to determine, for your estate, which surfaces are reachable and on which build, rather than assuming every deployment is vulnerable. We do not invent vulnerabilities, and we are skeptical of anyone who claims one without proof. We find where a known one lands on your perimeter.

What to do about it

Find and close unauthenticated RCE on PeopleSoft PeopleTools

How Celvex catches this

Find. Prove. Fix. Verify.

Find

A read-only sweep fingerprints your PeopleTools version, flags any 8.61 or 8.62, and inventories internet-exposed PeopleSoft portal and Environment Management hub surfaces, all without sending a malicious payload.

Prove

In an authorized test we confirm the endpoint is reachable and attempts deserialization without credentials using a benign type-probe, no data exfiltration. That becomes an Ed25519-signed Proof Capsule pairing the exposed host, the version evidence, and the KEV entry.

Fix

The capsule names the steps: apply Oracle's Critical Patch Update for CVE-2026-35273, remove the management and integration endpoints from public exposure, and put PeopleSoft behind authenticated access.

Verify

We re-fingerprint the patched build, confirm the endpoint rejects the unauthenticated request, confirm no management surface is internet-reachable, and review logs for pre-patch exploitation. The finding closes with the verified-fix event recorded.

The reason a bug like this reaches production is not that authentication is a hard idea. It is that a management framework gets filed under trusted infrastructure, so the boundary question that any public web app would face is quietly skipped for the internal coordination hub. The discipline is to ask it everywhere a stranger's input can reach an interpreter: which of my enterprise surfaces answer pre-auth, on what build, and what do they do with the bytes they receive. Answer that for PeopleSoft, and CVE-2026-35273 stops being a surprise.

Verifiable security. Find it. Prove it. Fix it. Verify the fix held. That is what we ship.

Sources

Is your PeopleSoft management hub answering to strangers?

Free Exposure Check, no signup required. We fingerprint your PeopleTools build against the known-exploited catalog, inventory any internet-exposed Environment Management surface, and ship a signed Proof Capsule for the highest-confidence finding.

Run a Free Scan →