Detect Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273) in Splunk
CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
MITRE ATT&CK
SPL Detection Query
index=web OR index=iis OR index=proxy sourcetype IN (iis, ms:iis:auto, access_combined, nginx:plus:kv)
| where match(uri_path, "(?i)/PSIGW/|/psp/|/psc/|/pspc/|/PeopleSoftServices/")
| eval is_bypass_path=if(match(uri_path, "(?i)/PSIGW/HttpListeningConnector|/PSIGW/PeopleSoftServiceListeningConnector"), 1, 0)
| eval auth_present=if(isnotnull(username) AND username!="-" AND username!="anonymous", 1, 0)
| eval suspicious=if(is_bypass_path=1 AND (auth_present=0 OR status IN ("200","302")), 1, 0)
| where suspicious=1
| stats
count as request_count,
dc(uri_path) as distinct_paths,
values(uri_path) as paths,
values(status) as status_codes,
min(_time) as first_seen,
max(_time) as last_seen
by src_ip, host
| where request_count >= 2
| eval severity="critical"
| eval cve="CVE-2026-35273"
| eval description="Unauthenticated access to Oracle PeopleSoft critical function endpoint - possible CVE-2026-35273 exploitation"
| table _time, src_ip, host, request_count, distinct_paths, paths, status_codes, severity, cve, descriptionDetects HTTP requests to Oracle PeopleSoft PSIGW and related endpoints that indicate authentication bypass consistent with CVE-2026-35273 exploitation. Aggregates by source IP and host to identify scanning or exploitation attempts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate PeopleSoft integration service accounts accessing connector endpoints
- Authorized API consumers using PSIGW for ERP integrations
- Monitoring and synthetic transaction tools simulating PeopleSoft user flows
- Internal network scanners performing asset discovery against known PeopleSoft ports
Other platforms for CVE-2026-35273
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated PSIGW Endpoint Probe
Expected signal: IIS/Apache access log entry: source IP, URI /PSIGW/HttpListeningConnector, no username (-), HTTP status 200 or 500
- Test 2PeopleSoft PSP Component Unauthenticated Access Attempt
Expected signal: Web server log entry showing /psp/ path access from test IP, username field empty or anonymous, HTTP 200 or 302
- Test 3Simulated PeopleSoft Service Connector Enumeration
Expected signal: Multiple IIS/Apache log entries from same source IP to different PeopleSoft paths within short time window, all unauthenticated
References (5)
- https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
- https://support.oracle.com/signin/
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-35273
Unlock Pro Content
Get the full detection package for CVE-2026-35273 including response playbook, investigation guide, and atomic red team tests.