CVE-2026-35273 CrowdStrike LogScale · LogScale

Detect Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273) in CrowdStrike LogScale

CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| TargetFileName=/(?i)(psigw|psp|psc|PeopleSoftServices)/
  OR HttpUri=/(?i)\/PSIGW\/(HttpListeningConnector|PeopleSoftServiceListeningConnector)/
| eval auth_missing = if(isnull(UserName) OR UserName IN ("-", "anonymous", ""), 1, 0)
| where auth_missing = 1
| where HttpStatusCode IN ("200", "201", "302")
| stats
    count() as request_count,
    dc(HttpUri) as distinct_uris,
    values(HttpUri) as uris_accessed,
    min(timestamp) as first_seen,
    max(timestamp as last_seen
  by RemoteAddressIP4, ComputerName
| where request_count >= 2
| eval alert = "CVE-2026-35273: PeopleSoft unauthenticated critical function access"
critical severity medium confidence

CrowdStrike Falcon LogScale CQL query to detect network connections and HTTP requests to Oracle PeopleSoft PSIGW endpoints without authentication, identifying potential CVE-2026-35273 exploitation on monitored endpoints.

Data Sources

CrowdStrike FalconFalcon LogScaleFalcon Network Containment

Required Tables

NetworkConnectIP4HttpRequest

False Positives & Tuning

  • Falcon-protected servers running PeopleSoft with configured anonymous service endpoints
  • Internal automation accessing PeopleSoft APIs with system context not logged
  • Integration broker middleware relaying requests without preserving original user identity
  • Vulnerability scanners in authorized scan windows touching PeopleSoft paths

Other platforms for CVE-2026-35273

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated PSIGW Endpoint Probe

    Expected signal: IIS/Apache access log entry: source IP, URI /PSIGW/HttpListeningConnector, no username (-), HTTP status 200 or 500

  2. Test 2PeopleSoft PSP Component Unauthenticated Access Attempt

    Expected signal: Web server log entry showing /psp/ path access from test IP, username field empty or anonymous, HTTP 200 or 302

  3. Test 3Simulated PeopleSoft Service Connector Enumeration

    Expected signal: Multiple IIS/Apache log entries from same source IP to different PeopleSoft paths within short time window, all unauthenticated

Last updated: 2026-06-19 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-35273 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections