Zero-Day Security Alert — March 18, 2026: Oracle Edge Cloud Infrastructure Unauthenticated RCE

Daily Security Briefing

March 18, 2026

CVE-2026-21994 | CVSS 9.8 | CRITICAL Severity | Public Disclosure (NVD)

Affected Product

Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0

Description

A critical unauthenticated remote code execution vulnerability exists in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. An unauthenticated attacker with network access via HTTP can exploit this flaw to achieve complete system compromise, resulting in full loss of confidentiality, integrity, and availability. The low attack complexity and absence of required privileges or user interaction make this vulnerability trivially exploitable by remote attackers with network access to the affected service.

Attack Vector

Remotely exploitable over HTTP. No authentication, elevated privileges, or user interaction required. Attack complexity is rated Low, meaning exploitation requires no special conditions. The vulnerability is accessible to any attacker with network-level access to the affected host.

Remediation

Oracle customers running Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0 should immediately consult Oracle's Security Alerts page (https://www.oracle.com/security-alerts/) for an available patch or updated release. If no patch is yet available, restrict network access to the affected service to trusted IP ranges only and disable external-facing HTTP exposure where operationally feasible. Apply vendor-supplied patches as soon as they become available and monitor Oracle security advisories for further guidance.

CISA Remediation Due Date: N/A

This report is generated automatically from NVD and CISA KEV data.