On June 12, 2026, the Cybersecurity and Infrastructure Security Agency added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog — the authoritative federal list of flaws that are not merely theoretical but are being used against real targets right now. The entry carries two details that should pull it to the top of any patch queue: a base score of 9.8 out of 10, and a "known ransomware campaign use" flag set to Known.

The vulnerability lives in Oracle PeopleSoft Enterprise PeopleTools, the runtime and development layer underneath PeopleSoft's HR, payroll, finance, and campus-management applications. It is classified as CWE-306, "Missing Authentication for Critical Function" — which is exactly as bad as it sounds. A function that should have demanded credentials does not, and so an unauthenticated attacker, with no account and no prior foothold, can reach a privileged capability directly. CISA's own description is blunt: the flaw "could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools."

Why a 9.8, and why now

The 9.8 CVSS v3.1 base score reflects the worst combination of inputs the metric tracks: the attack is reachable over the network, it is low-complexity, it requires no privileges and no user interaction, and a successful exploit compromises confidentiality, integrity, and availability in full. Bugs that clear all of those bars are the ones that get weaponized fastest, because they collapse the entire intrusion chain — reconnaissance to remote control — into a single request against an exposed endpoint.

PeopleSoft is a particularly attractive target for that kind of bug. It is enterprise system-of-record software: the instances that are exposed to the internet tend to belong to large universities, state and local governments, and Fortune 500 HR and finance organizations, and they sit on top of exactly the personal and financial data that extortion crews monetize. A pre-authentication takeover of the PeopleTools layer is not a foothold on the edge of the network; it is access to the application that holds the payroll.

What the KEV listing actually obligates

The Known Exploited Vulnerabilities catalog is more than a watch list. Under Binding Operational Directive 26-04, federal civilian agencies are required to remediate cataloged vulnerabilities by the due date CISA assigns. For CVE-2026-35273 that date is June 15, 2026 — only three days after the listing, an unusually short window that signals CISA's read of the urgency. CISA's required action directs operators to apply vendor mitigations, evaluate each asset's internet exposure, and, where fixes are not available, to stop using the product rather than leave it reachable.

The directive is binding only on federal agencies, but the KEV catalog has become the de facto prioritization signal for the private sector as well. A vulnerability moving onto the list is the clearest public confirmation that exploitation is happening in the wild, and the "known ransomware" tag on this entry removes any remaining ambiguity about intent.

What operators should do

The remediation path runs through Oracle's security alert for the CVE, which points to the fixed PeopleTools releases and the patching workflow through Oracle support. Three actions matter in order. First, inventory: identify every PeopleSoft instance, including the forgotten test and staging environments that are disproportionately likely to be internet-facing and unpatched. Second, patch to a fixed PeopleTools release, or, if that cannot happen immediately, remove public exposure by placing the application behind a VPN or access gateway. Third, because the bug requires no authentication and leaves little friction for an attacker, treat any exposed-and-unpatched instance as potentially already compromised and fold it into incident-response triage rather than a routine maintenance window.

Missing-authentication flaws are unforgiving precisely because there is no credential to steal, no phishing email to send, and no privilege to escalate — the gate was simply left open. When CISA pairs that class of bug with a same-week deadline and a ransomware tag, the catalog is doing its job: turning a line item in a vendor advisory into an operational alarm. The only question left for defenders is whether their exposed PeopleSoft instances are patched before the crews that are already using this get to them.