CVE-2026-35273 Google Chronicle · YARA-L

Detect Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273) in Google Chronicle

CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2026_35273_peoplesoft_auth_bypass {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects unauthenticated access to Oracle PeopleSoft critical functions - CVE-2026-35273"
    severity = "CRITICAL"
    priority = "HIGH"
    cve = "CVE-2026-35273"
    reference = "https://www.oracle.com/security-alerts/alert-cve-2026-35273.html"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.request_url = /\/PSIGW\/|PSIGWHttpListeningConnector|PeopleSoftServiceListeningConnector/
    not $e.network.http.user_agent = ""
    $e.network.http.response_code = 200 or
    $e.network.http.response_code = 302
    not $e.principal.user.userid = /^[a-zA-Z0-9._%+-]+$/

  condition:
    $e
}
critical severity medium confidence

Chronicle YARA-L rule to detect HTTP requests targeting Oracle PeopleSoft PSIGW and integration connector endpoints without valid authentication, consistent with CVE-2026-35273 exploitation.

Data Sources

Google Chronicle SIEMChronicle Network TelemetryChronicle HTTP Logs

Required Tables

network_http

False Positives & Tuning

  • Legitimate PeopleSoft web service consumers not passing user context in logs
  • Internal service-to-service calls where user context is stripped by middleware
  • Monitoring platforms with Chronicle integration performing health checks
  • Automated ETL jobs reading from PeopleSoft without user-attributed sessions

Other platforms for CVE-2026-35273

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated PSIGW Endpoint Probe

    Expected signal: IIS/Apache access log entry: source IP, URI /PSIGW/HttpListeningConnector, no username (-), HTTP status 200 or 500

  2. Test 2PeopleSoft PSP Component Unauthenticated Access Attempt

    Expected signal: Web server log entry showing /psp/ path access from test IP, username field empty or anonymous, HTTP 200 or 302

  3. Test 3Simulated PeopleSoft Service Connector Enumeration

    Expected signal: Multiple IIS/Apache log entries from same source IP to different PeopleSoft paths within short time window, all unauthenticated

Last updated: 2026-06-19 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-35273 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections