Critical Cisco Secure Workload Flaw Allows Unauthenticated Site Admin Access
Severity: High (Score: 74.0)
Sources: Gbhackers, Cybersecuritynews, Theregister, Securityaffairs.Co, Bleepingcomputer
Published: · Updated:
Keywords: cisco, secure, workload, vulnerability, access, another, perfect
Severity indicators: vulnerability, flaw, bug, ot
Summary
Cisco has disclosed a critical vulnerability in its Secure Workload platform, tracked as CVE-2026-20223, which allows unauthenticated attackers to gain Site Admin privileges through crafted API requests. This flaw, rated 10.0 on the CVSS scale, arises from insufficient validation and authentication in internal REST API endpoints. Attackers exploiting this vulnerability could read sensitive information and make configuration changes across tenant boundaries, undermining multi-tenant infrastructure security. Cisco has released patches for on-premises customers and has already addressed the issue in its cloud-hosted SaaS deployments. Currently, there is no evidence of active exploitation, but the potential for misuse is significant given the severity of the flaw. This vulnerability follows a recent pattern of high-severity issues disclosed by Cisco, raising concerns among users about the security of their systems. Key Points: • CVE-2026-20223 allows unauthenticated access to Site Admin privileges in Cisco Secure Workload. • The flaw is rated 10.0 on the CVSS scale due to insufficient API authentication. • Cisco has released patches and has not found evidence of active exploitation.
Detailed Analysis
**Impact** Cisco Secure Workload customers, including those using both SaaS and on-premises deployments, are affected by this vulnerability. The flaw allows unauthenticated attackers to gain Site Admin privileges, enabling access to sensitive information and configuration changes across tenant boundaries. This impacts multi-tenant environments where cross-tenant data exposure and control compromise can occur. No specific sectors or geographies were detailed, but the platform is widely used in enterprise network security contexts. **Technical Details** The vulnerability, tracked as CVE-2026-20223 with a CVSS score of 10.0, results from insufficient validation and authentication in internal REST API endpoints. Attackers can exploit the flaw by sending crafted API requests without credentials or user interaction, gaining Site Admin privileges remotely. The flaw affects Cisco Secure Workload Cluster Software versions 3.9 and earlier, with fixed releases available from 3.10.8.3 and 4.0.3.17. No indicators of compromise (IOCs) or malware/tool usage were reported, and no active exploitation has been observed. **Recommended Response** Apply the security updates released by Cisco immediately: upgrade to Secure Workload 3.10.8.3 or 4.0.3.17 for on-premises systems; SaaS deployments have already been patched. There are no workarounds, so patching is critical. Monitor network traffic for unusual API requests targeting Secure Workload REST endpoints and review access logs for unauthorized Site Admin activity. No additional detection signatures or IOCs were provided.
Source articles (7)
- Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw — Theregister · 2026-05-21
Switchzilla says attackers could access sensitive data and make configuration changes across tenant boundaries through vulnerable internal APIs Cisco has disclosed yet another perfect 10 vulnerability… - CVE-2026-20223 — www.cve.org · 2026-05-21
- Cisco's barebones advisory — sec.cloudapps.cisco.com · 2026-05-21
- Critical Vulnerability in Cisco Secure Workload Threatens Enterprise API Security — Gbhackers · 2026-05-21
Cisco has disclosed a critical security vulnerability in its Secure Workload platform that could allow unauthenticated attackers to gain high-level administrative access to sensitive enterprise enviro… - Max severity Cisco Secure Workload flaw gives Site Admin privileges — Bleepingcomputer · 2026-05-21
Cisco has released security updates to address a maximum-severity Secure Workload vulnerability that allows attackers to gain Site Admin privileges. Formerly known as Cisco Tetration, Cisco Secure Wor… - Cisco fixed maximum severity flaw CVE-2026 — Securityaffairs.Co · 2026-05-21
Cisco fixed a critical Secure Workload flaw (CVE-2026-20223) that could let attackers gain Site Admin privileges through crafted API requests. Cisco released patches for a critical vulnerability, trac… - Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access — Cybersecuritynews · 2026-05-21
Cisco has disclosed a critical security vulnerability in its Secure Workload platform that could allow unauthenticated attackers to gain unauthorized access to sensitive resources via internal APIs. T…
Timeline
- 2026-05-14 — CVE-2026-20182 published: Cisco disclosed a maximum severity authentication bypass vulnerability affecting SD-WAN systems.
- 2026-05-14 — CVE-2026-20182 added to CISA KEV: CISA added the CVE-2026-20182 flaw to its Known Exploited Vulnerabilities Catalog due to active exploitation.
- 2026-05-20 — CVE-2026-20223 published: Cisco published details of a critical vulnerability in Secure Workload allowing unauthenticated access.
- 2026-05-21 — Cisco releases patches for CVE-2026-20223: Cisco released security updates to address the critical vulnerability in Secure Workload for on-premises customers.
CVEs
Related entities
- Data Breach (Attack Type)
- Denial of Service (Attack Type)
- Zero-day Exploit (Attack Type)
- Cisco (Company)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- CWE-287 - Improper Authentication (Cwe)
- Cwe-306 - Missing Authentication For Critical Function (Cwe)
- CWE-862 - Missing Authorization (Cwe)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- Catalyst Sd-wan (Platform)
- Cisco Secure Workload (Platform)
- Sd-wan (Platform)
- Secure Workload (Platform)