Cisco secure workload admin bug

Cisco disclosed a maximum-severity vulnerability in Secure Workload on May 20 that can let an unauthenticated remote attacker obtain Site Admin privileges by sending crafted requests to internal REST API endpoints. The company said the flaw, tracked as CVE-2026-20223, stems from insufficient validation and authentication in access checks for those APIs. A successful exploit could let an attacker read sensitive information and make configuration changes across tenant boundaries with Site Admin privileges, according to Cisco’s advisory. Cisco said software updates are available and that there are no workarounds. ### Which part of Secure Workload is exposed? Cisco said the issue affects Cisco Secure Workload Cluster Software in both SaaS and on-premises deployments, regardless of device configuration. The company said the flaw affects internal REST APIs and does not affect the web-based management interface. Cisco Secure Workload, formerly known as Cisco Tetration, is used for workload visibility, segmentation and policy control across data center and cloud environments. (sec.cloudapps.cisco.com) ### Why are defenders treating this as more than another admin bug? Cisco gave CVE-2026-20223 a CVSS 3.1 base score of 10.0, the highest possible severity rating, and mapped it to CWE-306, missing authentication for a critical function. The advisory says the attacker does not need credentials or user interaction and can exploit the flaw remotely over the network. Because the Site Admin role sits at the control plane of the product, a successful exploit would give an intruder authority to access site resources and alter configuration at a level that spans tenants, Cisco said. (sec.cloudapps.cisco.com) ### Has Cisco said whether the flaw is being exploited? Cisco’s May 20 advisory said the company was not aware of any public announcements or malicious use of the vulnerability at the time of publication. That language matters because vendors sometimes disclose active exploitation separately; in this case, Cisco’s published notice did not report known attacks. Outside reporting nevertheless described the flaw as urgent because of the privilege level involved and the possibility of cross-tenant impact. (sec.cloudapps.cisco.com) ### Which versions are fixed? Security reporting citing Cisco’s advisory said the issue was addressed in Secure Workload versions 3.10.8.3 and 4.0.3.17. Cisco’s advisory directs customers to the fixed-software section to identify vulnerable and remediated releases for their deployments. The company also said only products listed in the vulnerable-products section are known to be affected. (sec.cloudapps.cisco.com) ### What should operators check first? Cisco said there are no workarounds that address the vulnerability, which leaves upgrading as the primary mitigation. The advisory identifies the bug as CSCwt99942 and says customers should use the fixed-software guidance to determine exposure in SaaS and on-premises environments. Reporting on the disclosure urged security teams to review platform administrative API exposure and tenant-separation controls because the flaw sits in a management path rather than the web console. (securityaffairs.com) ### What happens next for customers? Cisco published the advisory at 16:00 GMT on May 20 and said fixed software is available now. Customers running affected Secure Workload Cluster Software will need to compare their deployed release against Cisco’s fixed-version guidance and apply the update, because the company says no workaround exists. (sec.cloudapps.cisco.com 1) (sec.cloudapps.cisco.com 2)