Security Intelligence
Loading table of contents...
At a glance: Cisco disclosed a critical vulnerability in Cisco Secure Workload that allows an unauthenticated threat actor to gain Site Admin privileges through crafted API requests, with a maximum CVSS score. The flaw affects both SaaS and on‑premises deployments and enables access to sensitive data and configuration changes across tenant boundaries, creating exposure in shared environments. Remediation requires upgrading to fixed versions, as no workarounds are available and the vulnerability directly impacts the platform’s security control plane.
Threat summary
On May 20, Cisco disclosed a critical vulnerability in Cisco Secure Workload with a maximum Common Vulnerability Scoring System (CVSS) score of 10.0. The vulnerability affects Cisco Secure Workload Cluster Software across both software-as-a-service (SaaS) and on-premises deployments, regardless of configuration.
Cisco confirmed that the flaw exists in the access validation of internal Representational State Transfer (REST) application programming interface (API) endpoints and can be exploited through crafted API requests. The issue is limited to internal REST APIs and does not impact the web-based management interface.
Cisco Secure Workload, formerly Cisco Tetration, is a micro-segmentation platform designed to enforce zero-trust security across application workloads in on-premises and cloud environments, providing visibility and policy enforcement to reduce lateral movement.
The flaw, tracked as CVE-2026-20223, allows an unauthenticated, remote threat actor to gain Site Admin privileges by sending crafted API requests to vulnerable endpoints. The flaw grants the ability to read sensitive data and modify configurations across tenant boundaries, introducing cross-tenant exposure risks in multi-tenant environments.
The impact provides full administrative control over affected environments, including visibility and segmentation enforcement capabilities. The vulnerability requires only network connectivity to the affected API endpoints and a crafted request, with no authentication or privileges required, indicating low attack complexity.
Cisco released patches addressing the issue on May 20-21, with fixed versions including 3.10.8.3 and 4.0.3.17, while versions 3.9 and earlier require migration to a supported release. Cisco confirmed that SaaS deployments have already been remediated at the infrastructure level.
There are no workarounds available, and the advisory identifies software upgrade as the only complete remediation path.
Analysis
Cisco Secure Workload operates as a visibility and enforcement layer for zero-trust architectures, and compromise at the Site Admin level enables full control over segmentation policies, workload visibility, and enforcement boundaries.
In a worst-case scenario, an adversary could modify segmentation controls and access sensitive application data across environments, including shared or multi-tenant deployments. This outcome aligns with the level of access granted by Site Admin privileges.
Applying Cisco’s fixed software releases remediates the issue in affected environments.
Limiting access to internal REST API endpoints through network segmentation, access control lists, or private network exposure reduces the reachable attack surface. Monitoring API activity logs for anomalous requests or configuration changes supports detection of attempted exploitation activity.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
