A critical zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) has been actively exploited in the wild, resulting in a confirmed data breach at Nissan. The unauthenticated remote code execution flaw affects PeopleSoft versions 9.2 and earlier, allowing attackers to bypass authentication and execute arbitrary code on vulnerable systems. Organizations running PeopleSoft should implement emergency mitigations immediately while awaiting Oracle’s official patch.
Introduction
Nissan has publicly confirmed a significant data breach stemming from the exploitation of a previously unknown zero-day vulnerability in Oracle’s PeopleSoft enterprise resource planning (ERP) software. Designated as CVE-2026-35273, this critical flaw has enabled threat actors to gain unauthorized access to sensitive corporate systems, exposing employee and business data. The vulnerability represents a severe threat to the thousands of organizations worldwide that rely on PeopleSoft for human resources, financial management, and supply chain operations.
The disclosure comes amid growing concerns about supply chain security and the persistent targeting of widely-deployed enterprise software platforms. With PeopleSoft installations serving as critical infrastructure for Fortune 500 companies, government agencies, and educational institutions, the active exploitation of CVE-2026-35273 demands immediate attention from security teams across all sectors.
Background & Context
Oracle PeopleSoft has been a cornerstone enterprise application suite since the 1980s, serving organizations with comprehensive human capital management (HCM), financial management, and campus solutions. Despite Oracle’s acquisition of PeopleSoft in 2005, the platform continues to operate millions of business-critical processes globally, with an estimated 15,000+ organizations still maintaining PeopleSoft environments.
The vulnerability was first detected by Nissan’s security operations center on March 14, 2026, following suspicious authentication patterns and unusual database queries originating from their PeopleSoft Human Resources Management System (HRMS). Initial forensic analysis revealed that attackers had established persistence within the environment for approximately 18 days before detection, suggesting the zero-day had been exploited since late February 2026.
Oracle was notified within 24 hours of Nissan’s discovery, triggering an emergency security advisory. The vulnerability affects the PeopleTools component, specifically the Integration Broker servlet that handles web services and external system communications. This component is enabled by default in standard PeopleSoft deployments, significantly expanding the attack surface.
Technical Breakdown
CVE-2026-35273 is an unauthenticated remote code execution vulnerability with a CVSS v3.1 score of 9.8 (Critical). The flaw exists in the Integration Broker’s XML parser, which fails to properly sanitize externally-supplied XML data before processing.
Vulnerability Chain:
The exploitation occurs through a multi-stage attack leveraging improper input validation in the PSIGW.DLL servlet endpoint. Attackers craft malicious XML payloads containing external entity references that trigger server-side request forgery (SSRF) combined with deserialization of untrusted data.
Attack Vector:
POST /PSIGW/HttpListeningConnector HTTP/1.1
Host: [target-peoplesoft-domain]
Content-Type: text/xml
]>
&exploit;
&xxe;
The XML parser processes the external entity, allowing attackers to:
- Read arbitrary files from the server filesystem
- Trigger outbound connections to attacker-controlled infrastructure
- Load and execute malicious Java classes through classpath manipulation
- Escalate privileges to the PeopleSoft application account (typically PSADM)
Exploitation Characteristics:
- No authentication required
- Exploitable remotely over HTTP/HTTPS
- Works against default configurations
- Leaves minimal forensic footprint in standard application logs
- Bypass of Oracle’s Application Security Framework (ASF)
In the Nissan breach, attackers leveraged the initial RCE to deploy a custom web shell disguised as a legitimate PeopleSoft component (PORTAL.war), providing persistent backdoor access. Subsequent lateral movement targeted the underlying Oracle database using harvested credentials from PeopleTools configuration files.
Impact & Risk Assessment
Immediate Impacts:
Nissan has not disclosed the full extent of compromised data, but confirmed that employee personal information, including names, Social Security numbers, compensation details, and performance reviews were accessed. The breach potentially affects current and former employees across Nissan’s North American operations, estimated at 25,000+ individuals.
Broader Risk Landscape:
The discovery of active exploitation creates urgent risk for the global PeopleSoft installed base:
- Financial Services: Banks and insurance companies running PeopleSoft Financial Management Systems face exposure of transaction data and customer financial records
- Healthcare: Hospital systems using PeopleSoft HRMS risk HIPAA violations through employee health benefit data exposure
- Government: Public sector agencies face potential exposure of classified employee clearance information
- Education: Universities managing student records through Campus Solutions are vulnerable to FERPA violations
Attack Surface Analysis:
Shodan and Censys scanning indicates approximately 8,700 internet-facing PeopleSoft instances globally, with 3,200 in the United States alone. While not all exposed instances are vulnerable, organizations following standard deployment practices with Integration Broker enabled face immediate risk.
Secondary Consequences:
Beyond direct data theft, successful exploitation provides attackers with:
- Privileged access to enterprise ERP data across HR, finance, and supply chain functions
- Capability to manipulate payroll, procurement, and accounting records
- Foundation for business email compromise (BEC) attacks using harvested organizational intelligence
- Potential for ransomware deployment against business-critical systems
Vendor Response
Oracle issued Emergency Security Advisory CPU-MARCH-2026-001 on March 16, 2026, acknowledging CVE-2026-35273 and confirming active exploitation. The advisory states:
“Oracle is aware of active exploitation of CVE-2026-35273 affecting PeopleSoft PeopleTools versions 8.58 through 9.2. A patch is currently under development and will be released through the April 2026 Critical Patch Update on April 15, 2026.”
This response has drawn criticism from the security community, as the three-week delay until patch availability leaves organizations exposed during a confirmed active exploitation window. Oracle has published interim mitigation guidance but has not committed to an out-of-band emergency patch.
Oracle’s Security Alert provides workarounds but emphasizes that “mitigations do not eliminate the vulnerability and should be considered temporary measures until patching is completed.”
Nissan released a statement acknowledging the breach and indicating they are “working closely with Oracle, federal law enforcement, and third-party cybersecurity firms to investigate the incident and notify affected individuals in accordance with applicable data breach notification laws.”
Mitigations & Workarounds
Emergency Mitigation (Temporary):
Organizations unable to immediately patch should implement the following controls:
1. Disable Integration Broker (if operationally feasible):
# Stop Integration Broker services
cd $PS_HOME/appserv/psadmin
./psadmin -c stop -d [DOMAIN_NAME]2. Implement Web Application Firewall (WAF) Rules:
Block XML requests to Integration Broker endpoints:
location ~* ^/PSIGW/HttpListeningConnector {
deny all;
return 403;
}
location ~* ^/PSIGW/PeopleSoftServiceListeningConnector {
deny all;
return 403;
}
3. Network Segmentation:
Restrict Integration Broker access to authorized internal IP ranges only:
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12
Require ip 192.168.0.0/16
4. XML Parser Hardening:
Disable external entity processing in Java security properties:
# Add to $JAVA_HOME/jre/lib/security/java.security
jdk.xml.entityExpansionLimit=0
jdk.xml.totalEntitySizeLimit=05. Monitor and Alert:
Deploy EDR/XDR solutions with specific detection rules for PeopleSoft exploitation indicators.
Detection & Monitoring
Log Analysis:
Examine PeopleSoft Integration Broker logs for suspicious patterns:
# Check for XML external entity references
grep -i "DOCTYPE" $PS_HOME/webserv//applications/peoplesoft/PSIGW/WEB-INF/logs/.log
# Identify unusual PSIGW access
awk '$7 ~ /PSIGW/ && $9 == "200"' /var/log/httpd/access_log | \
awk '{print $1}' | sort | uniq -c | sort -rn
Network-Based Detection:
Monitor for outbound connections from PeopleSoft application servers:
# Netflow analysis for unexpected external connections
tcpdump -i any -nn 'src host [PEOPLESOFT_IP] and dst net not 10.0.0.0/8'Database Audit Indicators:
Query Oracle database audit logs for privilege escalation:
SELECT username, extended_timestamp, action_name, sql_text
FROM dba_audit_trail
WHERE username = 'PSADM'
AND action_name IN ('CREATE USER', 'ALTER USER', 'GRANT')
AND extended_timestamp > SYSDATE - 30;Compromise Indicators:
- Unexpected Java processes spawned by PeopleSoft application server accounts
- New WAR files deployed to PeopleSoft domains without change management records
- Database connections from PeopleSoft servers to unusual external hosts
- Modifications to
PSAPPSRV.CFGorPSADMIN.CFGconfiguration files - Unusual file access patterns in
$PS_HOME/appservdirectories
Best Practices
Short-Term Actions:
- Emergency Patching Preparation: Establish testing environments to validate Oracle’s April 2026 patch immediately upon release
- Access Review: Audit all privileged accounts with PeopleSoft access and enforce MFA
- Backup Verification: Ensure clean, offline backups exist for disaster recovery scenarios
- Incident Response Planning: Prepare IR playbooks specifically for ERP compromise scenarios
Long-Term Strategic Controls:
Architecture Hardening:
- Deploy PeopleSoft behind reverse proxies with SSL/TLS inspection
- Implement network segmentation isolating PeopleSoft from general corporate networks
- Deploy privileged access management (PAM) solutions for administrative access
- Enable Oracle Database Vault to restrict even privileged DBA access
Continuous Monitoring:
- Deploy SIEM with PeopleSoft-specific detection rules
- Implement file integrity monitoring (FIM) on critical PeopleSoft directories
- Enable Oracle Database audit policies for all privileged operations
- Conduct quarterly penetration testing focused on ERP attack surfaces
Vulnerability Management:
- Subscribe to Oracle Security Alert notifications
- Establish SLAs for emergency patching of critical Oracle vulnerabilities
- Maintain updated asset inventory of all PeopleSoft components and versions
- Participate in Oracle Beta Program for early access to security updates
Third-Party Risk:
- Review vendor contracts for security responsibilities
- Validate that managed service providers implement Oracle security advisories
- Establish clear incident notification requirements in vendor agreements
Key Takeaways
- CVE-2026-35273 is a critical zero-day in Oracle PeopleSoft being actively exploited in the wild, with Nissan confirming breach
- The vulnerability enables unauthenticated remote code execution through the Integration Broker XML parser
- Approximately 15,000 organizations globally rely on potentially vulnerable PeopleSoft installations
- Oracle’s patch will not be available until April 15, 2026, leaving a critical exposure window
- Organizations must implement temporary mitigations immediately, including WAF rules and network restrictions
- The Nissan breach exposed sensitive employee data, highlighting the severe business impact of ERP compromises
- Long-term security requires defense-in-depth strategies combining network segmentation, continuous monitoring, and rapid patch management
- ERP platforms like PeopleSoft represent high-value targets requiring elevated security postures beyond standard application security practices
References
- Oracle Security Advisory CPU-MARCH-2026-001: https://www.oracle.com/security-alerts/cpumar2026.html
- CVE-2026-35273 – NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2026-35273
- Nissan Data Breach Notification: https://www.nissan-global.com/EN/SECURITY/2026/
- CISA Known Exploited Vulnerabilities Catalog (CVE-2026-35273 Entry)
- Oracle PeopleSoft Security Best Practices Documentation
- SANS Internet Storm Center – PeopleSoft Exploitation Analysis
- Oracle PeopleSoft PeopleTools 9.2 Integration Broker Administration Guide
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/