Oracle PeopleSoft Zero-Day (CVE-2026-35273) Actively Exploited, NAIC Affected
- CVE ID
- CVE-2026-35273
- CVSS Score
- N/A
- Affected Products
- Oracle PeopleSoft, National Association of Insurance Commissioners (NAIC), approximately 100 organizations
Overview
A critical zero-day vulnerability, identified as CVE-2026-35273, has been discovered and is under active exploitation in Oracle PeopleSoft. This widespread exploitation campaign has reportedly affected around 100 organizations globally. Among the confirmed victims is the National Association of Insurance Commissioners (NAIC), which disclosed that its systems were impacted as part of this broader PeopleSoft zero-day wave. While the NAIC stated that the exposed data was limited to public statutory financial reporting data, credit rating agency determinations, and outdated logs and configuration data, and that no personally identifiable information (PII), policyholder information, or confidential insurer submissions were accessed, the active exploitation of a zero-day in a widely used enterprise resource planning (ERP) system presents a severe threat.
Technical Details
The vulnerability CVE-2026-35273 is a zero-day flaw impacting Oracle PeopleSoft, a comprehensive suite of enterprise applications. While specific technical details of the vulnerability itself have not been publicly disclosed, the nature of its exploitation suggests a highly impactful flaw, likely allowing for remote code execution, unauthorized access, or information disclosure. Zero-day exploits are particularly dangerous because vendors have not yet released patches, leaving organizations vulnerable until a fix is developed and deployed.
Attackers exploiting such a flaw would typically:
- Reconnaissance: Identify internet-facing Oracle PeopleSoft instances.
- Exploitation: Leverage CVE-2026-35273 to gain unauthorized access to the PeopleSoft application or underlying infrastructure. This could involve bypassing authentication, injecting malicious commands, or exploiting memory corruption issues.
- Post-Exploitation: Once initial access is gained, attackers would likely attempt to escalate privileges, move laterally within the network, and exfiltrate sensitive data or deploy further malware.
In the case of NAIC, the attackers managed to access public statutory financial reporting data, credit rating agency determinations, and outdated logs and configuration data. The specific details of how this data was accessed or if it was exfiltrated are still emerging, but the fact that the vulnerability allowed access to any data highlights its severity. The broad campaign affecting approximately 100 organizations suggests a concerted effort by a sophisticated threat actor or group.
Real-World Impact
The active exploitation of a critical zero-day in Oracle PeopleSoft has significant real-world consequences for affected organizations:
- Data Exposure: Even if PII is not directly exposed, as in the NAIC case, the compromise of financial reporting data, credit ratings, and configuration files can still be damaging. Such information could be used for corporate espionage, to identify further vulnerabilities, or to orchestrate more targeted attacks.
- Operational Disruption: Exploitation of ERP systems can lead to severe operational disruptions, as these systems are central to an organization’s business processes, including finance, human resources, and supply chain management.
- Reputational Damage: Being a victim of a zero-day exploit, especially in a widely used enterprise system, can lead to a loss of trust among customers, partners, and stakeholders.
- Regulatory Scrutiny: Organizations, particularly those in regulated industries like insurance (NAIC), may face intense scrutiny from regulatory bodies and potentially significant fines if the breach is deemed to have violated data protection laws.
- Patching Challenges: For IT and security teams, responding to a zero-day involves a race against time to implement temporary mitigations until an official patch is released and deployed, often under immense pressure.
Threat Landscape
Oracle PeopleSoft is a widely deployed enterprise application suite, making it an attractive target for threat actors. The discovery and active exploitation of a zero-day vulnerability in such a critical system indicate a sophisticated threat landscape where attackers are continually probing for high-value targets and investing in discovering previously unknown flaws. The fact that approximately 100 organizations have been impacted highlights the scale of the threat and suggests either a broad, opportunistic scanning campaign or highly targeted attacks against specific industries.
Zero-day exploits are often reserved for advanced persistent threat (APT) groups or well-resourced cybercriminal organizations due to the significant investment required to discover and weaponize such vulnerabilities. The ongoing campaign underscores the importance of a defense-in-depth strategy, as even fully patched systems can be vulnerable to zero-day attacks. Organizations must assume that their critical enterprise systems are always potential targets.
Remediation
Given the active exploitation of CVE-2026-35273 in Oracle PeopleSoft, immediate and proactive measures are imperative:
- Monitor Vendor Advisories: Closely monitor Oracle’s official security advisories and patching schedules for PeopleSoft. Implement patches as soon as they become available.
- Threat Hunting: Conduct thorough threat hunting across PeopleSoft environments and connected systems for indicators of compromise (IoCs) related to CVE-2026-35273 exploitation. This includes examining logs for unusual access patterns, unauthorized data transfers, or suspicious process activity.
- Network Segmentation: Ensure that PeopleSoft instances are adequately segmented from other critical internal networks to limit lateral movement in case of a breach.
- Access Control Hardening: Review and strengthen access controls, implement multi-factor authentication for all administrative and user accounts, and adhere to the principle of least privilege.
- Perimeter Security: Enhance perimeter defenses, including firewalls and intrusion prevention systems (IPS), with rules designed to detect and block known attack patterns related to PeopleSoft exploitation.
- Web Application Firewall (WAF): Deploy and properly configure a WAF in front of PeopleSoft applications to filter malicious traffic and potentially block exploitation attempts even before a patch is available.
- Data Backup and Recovery: Maintain robust and isolated backups of PeopleSoft data and configurations to ensure rapid recovery in the event of data corruption or loss.
- Regular Audits: Perform regular security audits of PeopleSoft configurations and user activity to detect misconfigurations or unauthorized changes.
Organizations using Oracle PeopleSoft must treat this vulnerability with the highest urgency and implement all possible mitigations to protect their systems and data.
Related content
CISA Adds Two New Actively Exploited Vulnerabilities to KEV Catalog
AdvisoryShinyHunters Leverages Oracle PeopleSoft Flaw, Breaches 100+ Orgs
AdvisoryArgentine Football Association Suffers Database Breach Triggered by Infostealer Malware
AdvisoryAdvisory: Critical KNX Protocol Lockout Vulnerability (CVE-2023-4346)
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call