CVE-2026-35273 IBM QRadar · QRadar

Detect Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273) in IBM QRadar

CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  destinationip,
  destinationport,
  URL,
  username,
  "HTTP Response Code" as response_code,
  COUNT(*) as event_count,
  MIN(starttime) as first_seen,
  MAX(starttime) as last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft IIS', 'Apache HTTP Server', 'F5 BIG-IP LTM', 'Nginx')
  AND (
    URL ILIKE '%/PSIGW/%'
    OR URL ILIKE '%/psp/%'
    OR URL ILIKE '%/psc/%'
    OR URL ILIKE '%/PeopleSoftServices/%'
  )
  AND (
    username IS NULL
    OR username = '-'
    OR username = 'anonymous'
  )
  AND "HTTP Response Code" IN ('200', '201', '302')
  AND DATEFORMAT(starttime, 'yyyy-MM-dd') >= DATEADD('day', -1, NOW())
GROUP BY sourceip, destinationip, destinationport, URL, username, response_code
HAVING COUNT(*) >= 2
ORDER BY event_count DESC
critical severity medium confidence

QRadar AQL query to identify unauthenticated successful HTTP requests to Oracle PeopleSoft PSIGW and critical function paths, indicative of CVE-2026-35273 exploitation attempts.

Data Sources

QRadar SIEMIIS Log SourceApache Log SourceF5 Log Source

Required Tables

events

False Positives & Tuning

  • Configured anonymous access endpoints within PeopleSoft for specific integrations
  • Internal monitoring agents performing periodic availability checks
  • ERP integration middleware using service accounts mapped differently in logs
  • Automated backup or sync processes accessing PeopleSoft data endpoints

Other platforms for CVE-2026-35273

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated PSIGW Endpoint Probe

    Expected signal: IIS/Apache access log entry: source IP, URI /PSIGW/HttpListeningConnector, no username (-), HTTP status 200 or 500

  2. Test 2PeopleSoft PSP Component Unauthenticated Access Attempt

    Expected signal: Web server log entry showing /psp/ path access from test IP, username field empty or anonymous, HTTP 200 or 302

  3. Test 3Simulated PeopleSoft Service Connector Enumeration

    Expected signal: Multiple IIS/Apache log entries from same source IP to different PeopleSoft paths within short time window, all unauthenticated

Last updated: 2026-06-19 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-35273 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections