Detect Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273) in Microsoft Sentinel
CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
MITRE ATT&CK
KQL Detection Query
let PeopleSoftPorts = dynamic([8000, 8443, 443, 80]);
let SuspiciousPaths = dynamic(["/psp/", "/psc/", "/PSIGW/", "/pspc/", "/signon.html", "/PeopleSoftServices/"]);
let AuthBypassPaths = dynamic(["/PSIGW/HttpListeningConnector", "/PSIGW/PeopleSoftServiceListeningConnector", "/psp/ps/EMPLOYEE/HRMS"]);
union DeviceNetworkEvents, CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(24h)
| where (
(csUriStem has_any (AuthBypassPaths)) or
(RequestURL has_any (AuthBypassPaths))
)
| where not(isempty(csUsername) or csUsername == "-" or csUsername == "anonymous")
| extend RequestPath = coalesce(csUriStem, RequestURL, "")
| extend SourceAddress = coalesce(cIP, SourceIP, CallerIpAddress, "")
| extend StatusCode = coalesce(scStatus, EventOutcome, "")
| where StatusCode in ("200", "201", "302") or isempty(StatusCode)
| summarize
RequestCount = count(),
DistinctPaths = dcount(RequestPath),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
StatusCodes = make_set(StatusCode),
Paths = make_set(RequestPath)
by SourceAddress, bin(TimeGenerated, 5m)
| where RequestCount >= 3
| extend AlertSeverity = "Critical"
| extend Description = "Possible exploitation of CVE-2026-35273: Unauthenticated access to Oracle PeopleSoft critical functions detected"Detects unauthenticated or anomalous HTTP requests targeting Oracle PeopleSoft PeopleTools endpoints associated with CVE-2026-35273. Monitors IIS/web logs for access to PSIGW, PSP, and PSC paths without authentication, or with suspicious patterns indicating authentication bypass.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PeopleSoft service accounts accessing PSIGW integration endpoints
- Automated health check or monitoring tools probing PeopleSoft URLs
- Internal application servers making service-to-service calls to PeopleSoft APIs
- Load balancer or reverse proxy health checks against PeopleSoft paths
Other platforms for CVE-2026-35273
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated PSIGW Endpoint Probe
Expected signal: IIS/Apache access log entry: source IP, URI /PSIGW/HttpListeningConnector, no username (-), HTTP status 200 or 500
- Test 2PeopleSoft PSP Component Unauthenticated Access Attempt
Expected signal: Web server log entry showing /psp/ path access from test IP, username field empty or anonymous, HTTP 200 or 302
- Test 3Simulated PeopleSoft Service Connector Enumeration
Expected signal: Multiple IIS/Apache log entries from same source IP to different PeopleSoft paths within short time window, all unauthenticated
References (5)
- https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
- https://support.oracle.com/signin/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-35273
Unlock Pro Content
Get the full detection package for CVE-2026-35273 including response playbook, investigation guide, and atomic red team tests.