Back

Critical CVE-2026-20223 Vulnerability in Cisco Secure Workload Exposes Admin Privileges

Severity: High (Score: 75.8)

Sources: Securityaffairs.Co, www.cve.org, Csoonline, Cybersecuritynews, Beyondmachines

Published: 2026-05-21 · Updated: 2026-05-22

Keywords: cisco, secure, workload, vulnerability, access, another, perfect

Severity indicators: vulnerability, flaw, bug, ot

Summary

Cisco has disclosed a critical vulnerability, CVE-2026-20223, in its Secure Workload platform, which received a maximum CVSS score of 10.0. This flaw allows unauthenticated remote attackers to gain Site Admin privileges by sending crafted API requests to vulnerable internal REST API endpoints. The vulnerability affects both SaaS and on-premises deployments, enabling attackers to read sensitive information and modify configurations across tenant boundaries. Cisco has released patches for affected versions, specifically 3.10.8.3 and 4.0.3.17, and has confirmed that there are no known workarounds. The flaw was discovered during internal security testing, and as of now, there are no reports of active exploitation. Organizations using affected versions are urged to apply the updates immediately to mitigate risks. The vulnerability is categorized under CWE-306, indicating missing authentication protections. Key Points: • CVE-2026-20223 allows unauthenticated access to Site Admin privileges via internal APIs. • The vulnerability affects both SaaS and on-premises versions of Cisco Secure Workload. • Cisco has released patches and strongly advises immediate updates to mitigate risks.

Detailed Analysis

**Impact** The vulnerability affects Cisco Secure Workload Cluster Software in both SaaS and on-premises deployments globally, with particular risk to multi-tenant environments where cross-tenant data exposure is possible. Exploitation allows unauthenticated remote attackers to gain Site Admin privileges, enabling access to sensitive information and unauthorized configuration changes across tenant boundaries. This compromises enterprise security policies and could lead to widespread data breaches and operational disruption in sectors relying on zero trust and micro-segmentation controls. **Technical Details** CVE-2026-20223 is an authentication bypass vulnerability (CWE-306) in internal REST API endpoints of Cisco Secure Workload, exploitable via crafted HTTP API requests without credentials or user interaction. The flaw impacts versions 3.9 and earlier (requiring migration), 3.10 (fixed in 3.10.8.3), and 4.0 (fixed in 4.0.3.17). The attack vector is remote unauthenticated access to internal APIs, allowing privilege escalation to Site Admin level, affecting the kill chain at initial access and privilege escalation stages. No malware or specific tools have been reported in active exploitation, and no IOCs were provided. **Recommended Response** Immediate application of Cisco patches is required: upgrade on-premises Secure Workload to 3.10.8.3 or 4.0.3.17; migrate from versions 3.9 and earlier. SaaS customers require no action as patches are already applied. Isolate Secure Workload clusters from internet access and restrict API endpoint exposure to trusted networks. Monitor for unusual API requests and privilege escalations, as no workarounds exist and the vulnerability should be treated as an active threat.

Source articles (13)

  • Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw — Theregister · 2026-05-21
    Switchzilla says attackers could access sensitive data and make configuration changes across tenant boundaries through vulnerable internal APIs Cisco has disclosed yet another perfect 10 vulnerability…
  • Denial-of-Service vulnerability exists in Cisco Nexus switches — sec.cloudapps.cisco.com · 2026-05-22
  • CVE-2026-20223 — www.cve.org · 2026-05-21
  • Cisco's barebones advisory — sec.cloudapps.cisco.com · 2026-05-21
  • BrowserBot component of Cisco's ThousandEyes Enterprise Agent — sec.cloudapps.cisco.com · 2026-05-22
  • Cisco Secure Workload Flaw CVE-2026 — Thecyberexpress · 2026-05-22
    Cisco has released security updates to fix a critical vulnerability, tracked as CVE-2026-20223, affecting its Cisco Secure Workload platform. The flaw, which received the maximum CVSS score of 10.0, c…
  • Critical Vulnerability in Cisco Secure Workload Threatens Enterprise API Security — Gbhackers · 2026-05-21
    Cisco has disclosed a critical security vulnerability in its Secure Workload platform that could allow unauthenticated attackers to gain high-level administrative access to sensitive enterprise enviro…
  • Cisco Patches Critical CVSS 10.0 Authentication Bypass in Secure Workload — Beyondmachines · 2026-05-21
    Advisory Cisco Patches Critical CVSS 10.0 Authentication Bypass in Secure Workload Take action: Make sure your Cisco Secure Workload clusters are isolated from the internet and accessible only from tr…
  • Max severity Cisco Secure Workload flaw gives Site Admin privileges — Bleepingcomputer · 2026-05-21
    Cisco has released security updates to address a maximum-severity Secure Workload vulnerability that allows attackers to gain Site Admin privileges. Formerly known as Cisco Tetration, Cisco Secure Wor…
  • Cisco fixed maximum severity flaw CVE-2026 — Securityaffairs.Co · 2026-05-21
    Cisco fixed a critical Secure Workload flaw (CVE-2026-20223) that could let attackers gain Site Admin privileges through crafted API requests. Cisco released patches for a critical vulnerability, trac…
  • Cisco patches security hole with top rating in Secure Workload — Heise.De · 2026-05-22
    Network equipment provider Cisco has released several updates to close security vulnerabilities. The most serious reaches the highest possible risk classification and affects Cisco's Secure Workload.…
  • Critical vulnerability in Cisco Secure Workload rated at maximum severity — Csoonline · 2026-05-21
    A critical vulnerability in the on-premises version of the Cisco Secure Workload security platform could allow a threat actor to obtain the privileges of a site admin, enabling them to compromise endp…
  • Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access — Cybersecuritynews · 2026-05-21
    Cisco has disclosed a critical security vulnerability in its Secure Workload platform that could allow unauthenticated attackers to gain unauthorized access to sensitive resources via internal APIs. T…

Timeline

  • 2026-05-14 — CVE-2026-20182 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-20223 published: Cisco disclosed a critical vulnerability in Secure Workload, allowing unauthenticated access to sensitive data.
  • 2026-05-20 — Cisco releases patches for CVE-2026-20223: Cisco provided updates for versions 3.10.8.3 and 4.0.3.17 to fix the critical vulnerability.
  • 2026-05-20 — CVE-2026-20171 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-20199 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-20206 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-22 — First public PoC for CVE-2026-20223: Public proof of concept for exploiting the vulnerability was released, raising urgency for updates.

CVEs

  • CVE-2026-20171
  • CVE-2026-20182
  • CVE-2026-20199
  • CVE-2026-20206
  • CVE-2026-20223

Related entities

  • Data Breach (Attack Type)
  • Denial-of-Service (Attack Type)
  • Denial of Service (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Cisco (Company)
  • China (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-306 - Missing Authentication For Critical Function (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • german.it (Domain)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • Catalyst Sd-wan (Platform)
  • Cisco Secure Workload (Platform)
  • Sd-wan (Platform)
  • Secure Workload (Platform)
  • Secure Workload Cluster Software (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed