Back to Threat Feed
ZeroDaySentinel
Threat Intelligence

CVE-2026-20223: Cisco Secure Workload REST API Flaw Allows Unauthenticated Attackers to Read Sensitive Data and Reconfigure Tenants with Site Admin Privileges

Critical
Incident:2026-05-25
Published:2026-05-25

Cisco patched CVE-2026-20223, a CVSS 10.0 vulnerability in Cisco Secure Workload stemming from insufficient validation and authentication on REST API endpoints. An unauthenticated remote attacker who sends a crafted API request to an affected endpoint can read sensitive data and make configuration changes across tenant boundaries using the privileges of the Site Admin user, affecting both SaaS and on-premises deployments regardless of device configuration. Cisco discovered the flaw through internal security testing and reports no evidence of exploitation in the wild. Patches are available in releases 3.10.8.3 and 4.0.3.17. The disclosure comes one week after Cisco confirmed active exploitation of another CVSS 10.0 flaw in the Catalyst SD-WAN Controller.

Share:

What happened

Cisco released security updates addressing CVE-2026-20223, a maximum-severity vulnerability in Cisco Secure Workload that allows an unauthenticated remote attacker to access sensitive information and make configuration changes across tenant boundaries. The flaw carries a CVSS score of 10.0.

The root cause is insufficient validation and authentication on REST API endpoints. Cisco Secure Workload is a workload security and microsegmentation platform that manages policy enforcement across application workloads in data center and cloud environments. Its REST API is the primary management interface, and the vulnerability means that API endpoints which should require authentication can be accessed without valid credentials by sending a specially crafted request. An attacker who successfully exploits the flaw gains read access to sensitive information and the ability to make configuration changes with the same privilege level as the Site Admin user, which is the highest administrative role in the platform.

Cisco Secure Workload CVE-2026-20223 REST API vulnerability

The Site Admin privilege level is significant because it spans tenant boundaries. Cisco Secure Workload is deployed as a multi-tenant platform, and Site Admin access allows an attacker to read sensitive information and modify configurations across all tenants on the affected system, not just a single customer's environment. In a shared deployment, this means a single crafted API request could expose the data and alter the security policies of multiple unrelated organizations.

Cisco stated that the vulnerability affects Cisco Secure Workload Cluster Software across both SaaS and on-premises deployments, and that it is present regardless of how the device is configured. There are no workarounds available. The only remediation is upgrading to a patched release.

Cisco identified the vulnerability through its own internal security testing program. As of the time of disclosure, there is no evidence that the vulnerability has been exploited in the wild. The company credited its internal teams with the discovery.

The fixed releases are:

  1. Cisco Secure Workload Release 3.10: fixed in version 3.10.8.3
  2. Cisco Secure Workload Release 4.0: fixed in version 4.0.3.17
  3. Cisco Secure Workload Release 3.9 and earlier: these versions have reached end-of-support and will not receive a fix. Customers on 3.9 or earlier must migrate to a fixed release

The disclosure comes one week after Cisco confirmed that CVE-2026-20182, a CVSS 10.0 authentication bypass in the Catalyst SD-WAN Controller, has been under active exploitation by a threat actor identified as UAT-8616. That vulnerability allowed unauthenticated attackers to gain administrative access to SD-WAN systems by sending crafted requests to the vdaemon service. The two maximum-severity flaws disclosed in rapid succession across different Cisco product lines represent a concentrated patching pressure point for organizations with significant Cisco infrastructure deployments.

Who is affected

All deployments of Cisco Secure Workload Cluster Software in release 3.9 and earlier, 3.10 prior to 3.10.8.3, and 4.0 prior to 4.0.3.17 are affected. The scope explicitly covers both SaaS-hosted deployments and on-premises installations. There is no configuration state that provides immunity, and no workaround exists outside of patching.

Multi-tenant deployments are at elevated concern because the Site Admin privilege cross-tenant access means that a single exploitation event against a shared platform can expose the sensitive data and security configurations of every tenant on that system, not just the organization whose environment is directly targeted.

Organizations running Cisco Secure Workload in environments with network segmentation or zero-trust microsegmentation policies should note that the platform itself managing those policies is the affected component. Compromising the Secure Workload management plane through this vulnerability would give an attacker visibility into the segmentation policies in place and the ability to modify them, potentially opening paths between network segments that the policies were designed to close.

Risk level

Critical

A CVSS 10.0 reflects the combination of remote access, no authentication requirement, and maximum impact at the highest privilege level. The cross-tenant boundary access that Site Admin privileges enable amplifies the severity beyond what a single-tenant compromise would represent. In a SaaS deployment, an unauthenticated attacker with network access to the API endpoint could potentially enumerate and modify security policies across every customer tenant on the platform.

The absence of any confirmed exploitation as of this writing is a meaningful mitigating factor. The flaw was found through internal testing rather than through observed attacks, which provides a shorter response window before exploitation tooling becomes widely available. However, given that a maximum-severity Cisco vulnerability with no workarounds affecting both SaaS and on-premises deployments is now publicly disclosed, the window for applying patches before opportunistic exploitation begins should be measured in hours, not days.

The context of this disclosure following last week's CVE-2026-20182 active exploitation confirmation adds operational pressure. Security teams managing Cisco environments are simultaneously responding to a confirmed SD-WAN exploitation campaign and a newly disclosed Secure Workload maximum-severity vulnerability. Prioritization between the two depends on which product is deployed, but organizations running both face a compressed patching timeline for two critical network infrastructure components simultaneously.

What to do

  1. Identify all Cisco Secure Workload deployments in your environment, including SaaS subscriptions and on-premises clusters, and determine their current release version
  2. For deployments on release 3.10, upgrade to version 3.10.8.3 immediately
  3. For deployments on release 4.0, upgrade to version 4.0.3.17 immediately
  4. For deployments on release 3.9 or earlier, begin migration to a supported and patched release. These versions are end-of-support and will not receive a security patch
  5. Review REST API access logs for any unusual activity against Secure Workload API endpoints, particularly requests that lack valid authentication headers or that exhibit behavioral patterns inconsistent with legitimate management tooling
  6. After patching, review tenant configurations to confirm that no unauthorized configuration changes were made. Given the absence of confirmed exploitation, this is a precautionary measure, but it is appropriate given the severity of the flaw and the cross-tenant access it enables
  7. If you are running Cisco Catalyst SD-WAN Controller, refer to the CVE-2026-20182 advisory and associated guidance simultaneously, as both vulnerabilities require patching and affect Cisco network management infrastructure

Analysis

CVE-2026-20223 belongs to a category of API authentication failures that repeatedly appear in enterprise software products: a management API where the authentication enforcement layer either was not implemented consistently across all endpoints or where a specific code path bypasses the standard authentication check. The fact that this was discovered through Cisco's internal testing rather than through external research or exploitation reports is to the company's credit. Internal discovery before a vulnerability is weaponized in the field is the ideal outcome of a well-functioning security testing program, and it provides defenders with the remediation window they need.

The multi-tenant cross-tenant access aspect of the Site Admin privilege level deserves careful consideration by both Cisco and by organizations evaluating shared platform deployments. Workload security and microsegmentation platforms occupy a privileged position in infrastructure: they see and control the policy enforcement layer that governs traffic between workloads. A compromise of the management plane through this API vulnerability would give an attacker the ability to read all microsegmentation policies across tenants, identify allowed traffic paths, and modify policies to create new paths between workloads that were previously isolated. In an environment where Secure Workload is used to enforce compliance boundaries, this constitutes a systemic compliance exposure as well as a security one.

The successive disclosure of CVSS 10.0 vulnerabilities across Cisco product lines within a week of each other, one with confirmed active exploitation and one discovered internally, is a reasonable prompt for organizations with significant Cisco infrastructure to reassess their Cisco-specific patch velocity and monitoring posture. Maximum-severity flaws in network management and security management platforms carry outsized blast radius because the platforms themselves are designed to have privileged access across the infrastructure they manage.