CVE-2026-35273 Sumo Logic CSE · Sumo

Detect Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273) in Sumo Logic CSE

CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/iis OR _sourceCategory=web/apache OR _sourceCategory=proxy/bluecoat
| where %"cs-uri-stem" matches "/PSIGW/*" or %"cs-uri-stem" matches "/psp/*" or %"cs-uri-stem" matches "/psc/*" or %"cs-uri-stem" matches "/PeopleSoftServices/*"
| where isNull(%"cs-username") or %"cs-username" = "-" or %"cs-username" = "anonymous"
| where %"sc-status" in ("200", "201", "302")
| timeslice 5m
| stats
    count as request_count,
    dcount(%"cs-uri-stem") as unique_paths,
    values(%"cs-uri-stem") as accessed_paths,
    values(%"sc-status") as status_codes
  by %"c-ip", _timeslice
| where request_count >= 2
| fields %"c-ip", request_count, unique_paths, accessed_paths, status_codes, _timeslice
| sort by request_count desc
critical severity medium confidence

Sumo Logic query to detect unauthenticated HTTP access to Oracle PeopleSoft critical endpoints, correlating source IPs with access patterns consistent with CVE-2026-35273 exploitation.

Data Sources

Sumo LogicIIS Log CollectionApache Log CollectionProxy Log Collection

Required Tables

web/iisweb/apacheproxy/bluecoat

False Positives & Tuning

  • Service integrations using PSIGW with anonymous service contracts
  • Scheduled report generation accessing PeopleSoft without interactive sessions
  • Third-party vendor tools with legitimate anonymous access grants
  • Internal network monitoring performing synthetic transaction checks

Other platforms for CVE-2026-35273

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated PSIGW Endpoint Probe

    Expected signal: IIS/Apache access log entry: source IP, URI /PSIGW/HttpListeningConnector, no username (-), HTTP status 200 or 500

  2. Test 2PeopleSoft PSP Component Unauthenticated Access Attempt

    Expected signal: Web server log entry showing /psp/ path access from test IP, username field empty or anonymous, HTTP 200 or 302

  3. Test 3Simulated PeopleSoft Service Connector Enumeration

    Expected signal: Multiple IIS/Apache log entries from same source IP to different PeopleSoft paths within short time window, all unauthenticated

Last updated: 2026-06-19 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-35273 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections