CISA adds Oracle PeopleSoft CVE-2026-35273 to KEV

CISA’s June 12 alert adds CVE-2026-35273 to the Known Exploited Vulnerabilities catalog, which is the part everyone will paste into the ticket. The more useful part is the directive framing around it: Binding Operational Directive 26-04 updates the old BOD 22-01 model by pushing agencies toward rapid remediation of KEV-listed vulnerabilities on publicly exposed assets that allow total control after exploitation, while deferring lower-risk work.

That matters because it creates a different operating queue from ordinary patch hygiene. Federal Civilian Executive Branch agencies are not just being told that Oracle PeopleSoft Enterprise PeopleTools has an exploited missing-authentication flaw. They are being told to sort it by exposure, exploitation consequence, and compromise-check expectations before treating it as done. Contractors and primes running or supporting public-facing federal systems should mirror that logic in their patch cycles, because agency compliance pressure rarely stays politely inside agency boundaries.

The open item is basic but important: the alert does not give the CVE-specific due date, nor does it spell out penalties or extension criteria. Until that is clear, the practical move is inventory first, exposure second, patch and compromise review third. If PeopleSoft is internet-exposed in a federal environment, this is no longer a quarterly maintenance discussion.