Critical Cisco Secure Workload flaw elevates users to Site Admin

▼ Summary
– Cisco released security updates for a maximum-severity Secure Workload vulnerability (CVE-2026-20223) that lets unauthenticated attackers gain Site Admin privileges via crafted REST API requests.
– The flaw stems from insufficient validation and authentication in internal REST APIs, allowing attackers to read sensitive data and make configuration changes across tenant boundaries.
– No workarounds exist; Cisco has patched the issue for on-premises customers and addressed it in the cloud-based SaaS deployment.
– Cisco found no evidence of active exploitation of this vulnerability before the advisory was published.
– Earlier in May, Cisco warned of another actively exploited zero-day (CVE-2026-20182) affecting Catalyst SD-WAN, which CISA added to its Known Exploited Vulnerabilities Catalog.
Cisco has rolled out critical security patches to address a maximum-severity vulnerability in its Secure Workload platform, a flaw that could let attackers escalate their privileges to Site Admin without any authentication. Previously branded as Cisco Tetration, Secure Workload is designed to shrink network attack surfaces through zero-trust microsegmentation and block lateral movement, safeguarding business-critical applications.
The vulnerability, formally tracked as CVE-2026-20223, resides within the platform’s internal REST APIs. It allows unauthenticated attackers to access resources and wield the full authority of a Site Admin role. Cisco detailed in a Wednesday advisory that the issue stems from “insufficient validation and authentication when accessing REST API endpoints.” An attacker could exploit this by simply sending a “crafted API request to an affected endpoint.” A successful exploit would grant the ability to “read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.”
No workarounds exist for this security hole. Cisco has released software updates for on-premises customers and has already remediated the issue in its cloud-based Secure Workload SaaS deployment. The affected releases and fixed versions are as follows: Release 3.9 and earlier should migrate to a fixed release; Release 3.10 is patched in version 3.10.8.3; and Release 4.0 is fixed in version 4.0.3.17.
The company’s Product Security Incident Response Team (PSIRT) has confirmed that, as of the advisory’s publication, there is no evidence of this vulnerability being exploited in the wild.
This alert arrives on the heels of another high-stakes warning from earlier in May. Cisco had previously flagged CVE-2026-20182, a maximum-severity authentication bypass affecting its Catalyst SD-WAN software, which was being actively exploited as a zero-day. That flaw also allowed attackers to gain administrative privileges. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalog on May 14, ordering federal agencies to secure affected devices within three days, by May 17.
In early May, Cisco also issued updates for a denial-of-service (DoS) vulnerability in its Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), a flaw that required manual system reboots to recover. Over the past five years, CISA has flagged 91 Cisco vulnerabilities as actively exploited, with six of those being leveraged by various ransomware gangs.
(Source: BleepingComputer)




