Security Alert for Oracle PeopleTools Users: Password Protection Flaw Being Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability to its list of actively exploited security flaws. The problem affects Oracle PeopleSoft Enterprise PeopleTools, a system used by many large organizations to manage human resources, payroll, and other administrative functions.

The vulnerability, tracked as CVE-2026-35273 (an industry tracking number for this software flaw), allows hackers to access critical functions without proper authentication. CISA only adds vulnerabilities to this catalog when they have evidence that criminals are already using them to break into systems.

This affects you if your employer, university, or government agency uses Oracle PeopleSoft for managing employee or student information. Many large companies, hospitals, schools, and government offices use this software to handle payroll, benefits, student records, and personal employee data.

If hackers exploit this flaw at your workplace or school, they could access your personal information, including Social Security numbers, addresses, salary information, health benefits details, and bank account numbers used for direct deposit. Immediately contact your human resources department, IT help desk, or school administration to ask whether they use Oracle PeopleSoft and whether they have patched this critical vulnerability.

Change your password for any work or school portal right away, and make sure it is strong and unique. Enable two factor authentication if your organization offers it for employee or student portals. Carefully monitor your bank accounts and credit reports for any suspicious activity over the next few months.

Consider placing a fraud alert on your credit file if your employer confirms they were affected. Because hackers are actively exploiting this vulnerability right now, time is critical. Do not wait for your employer or school to contact you. Be proactive in protecting yourself.

Going forward, treat your work and school login credentials with the same care you give to your banking passwords. These systems often contain more of your personal information than you realize, making them valuable targets for identity thieves.