Skip to content
English
Create a Support Ticket Customer portal Sign in
Go to waratek.com
  • There are no suggestions because the search field is empty.

Waratek Q2 2026 - Update (2026-June-17) CVE-2026-35273

Observations on PeopleSoft Vulnerability CVE-2026-35273

CVE-2026-35273 is a critical unauthenticated vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, with a CVSS score of 9.8.

Public reports indicate that the vulnerability enables attackers to perform SSRF attacks that can be chained into Remote Code Execution, unauthorized data exfiltration, deployment of remote management agents for persistent access, and lateral movement across internal networks through credential spraying and SMB-based NetNTLM hash harvesting.

Based on currently available public information, Waratek recommends a defense-in-depth security policy to mitigate exploitation of this issue. The following security controls address different elements of the attack chain, providing multiple places where the attack can be intercepted and blocked. As more information on this CVE becomes available, this list will be updated, as required.

Recommended security configuration for CVE-2026-35273:

  1. Enable the Relative Path Traversal, Absolute Path Traversal, Deserialization and XXE security rules.
  2. Use the Process rule to block forking (execution) from all or high-risk directories such as /tmp/*, which is specifically used by this exploit.
  3. Use the Process rule to block execution of known executables used by this exploit, including *fanout.sh and meshagent*.exe.
  4. Use the Filesystem read/write rules to block creation or modification of executable artifacts such as .sh and .exe files under /tmp/* and other high-risk filesystem locations.
  5. Use the Filesystem write rule to block unauthorized creation or modification of .jsp and .xml files in weblogic deployment directories.
  6. Use the Socket Connect rule to block outbound SMB connections on port 445 to any IP address.

ARMR documentation for rule configuration without the Portal Wizard:

If you require assistance enabling the above configurations, please contact support@waratek.com and our Customer Success team can assist.