A critical zero-day vulnerability (CVE-2026-35273, CVSS 9.8) in Oracle PeopleSoft PeopleTools allows unauthenticated remote code execution. The flaw affects PeopleSoft PeopleTools versions 8.61 and 8.62, and potentially earlier unsupported versions. Oracle has released an out-of-band security alert with patch details, which should be applied immediately.
A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools is being exploited in the wild, Charles Carmakal, CTO at cybersecurity firm Mandiant, part of Google Cloud, warned today. The warning comes a day after Oracle published an out-of-band security alert about the flaw, which is remotely exploitable without authentication, may result in remote code execution, and affects PeopleSoft PeopleTools versions 8.61 and 8.62 (and possibly earlier, unsupported ones as well). Oracle credited researchers with TrendAI Zero … More → The post Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert appeared first on Help Net Security .