CVE-2026-35273 Elastic Security · Elastic

Detect Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273) in Elastic Security

CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   url.path : ("/PSIGW/*", "/psp/*", "/psc/*", "/PeopleSoftServices/*") and
   (user.name == null or user.name == "-" or user.name == "anonymous") and
   http.response.status_code in (200, 201, 302)]
  [network where event.category == "network" and
   url.path : ("/PSIGW/*", "/psp/*", "/psc/*") and
   http.response.status_code in (200, 201, 302)]
critical severity medium confidence

EQL sequence query detecting repeated unauthenticated successful HTTP responses to Oracle PeopleSoft critical function endpoints, suggesting authentication bypass exploitation of CVE-2026-35273.

Data Sources

Elastic SIEMFilebeat IIS ModuleElastic Network Packet Capture

Required Tables

logs-*filebeat-*packetbeat-*

False Positives & Tuning

  • PeopleSoft service mesh internal health check probes
  • Authorized unauthenticated feed endpoints explicitly configured in PeopleTools
  • Penetration testing activities against PeopleSoft environments
  • Load balancer passive health checks to PeopleSoft web tier

Other platforms for CVE-2026-35273

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated PSIGW Endpoint Probe

    Expected signal: IIS/Apache access log entry: source IP, URI /PSIGW/HttpListeningConnector, no username (-), HTTP status 200 or 500

  2. Test 2PeopleSoft PSP Component Unauthenticated Access Attempt

    Expected signal: Web server log entry showing /psp/ path access from test IP, username field empty or anonymous, HTTP 200 or 302

  3. Test 3Simulated PeopleSoft Service Connector Enumeration

    Expected signal: Multiple IIS/Apache log entries from same source IP to different PeopleSoft paths within short time window, all unauthenticated

Last updated: 2026-06-19 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-35273 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections