A critical vulnerability in the on-premises version of the Cisco Secure Workload security platform could allow a threat actor to obtain the privileges of a site admin, enabling them to compromise endpoints and read or modify configuration data.
“CSOs need to drop what they are doing and patch this immediately,” warned consultant Robert Enderle, who heads the Enderle Group. “Cisco Secure Workload manages zero trust, micro-segmentation, and enterprise-wide network visibility. If an attacker controls the platform that dictates your security policies, they effectively own the map and the keys to your entire network kingdom.”
“This is the absolute worst-case scenario,” he added. “Because of how vital this platform is to large enterprises, threat actors will be aggressively scanning for unpatched API endpoints to exploit.”
The urgency of addressing this immediately was echoed by Fred Chagnon, principal research director at Info-Tech Research Group. An attacker could modify or dismantle an enterprise’s security policies, he pointed out, effectively opening doors within the environment that were deliberately closed.
‘Blast radius could be significant’
“Because this access operates at the site admin level and crosses tenant boundaries,” he added, “the blast radius in a multi-tenant deployment could be significant, potentially exposing or compromising workloads and data belonging to multiple business units or customers.”
Cisco assigned this flaw (CVE-2026-20223) a maximum CVSS score of 10.0 because it allows an unauthenticated, remote attacker to bypass authentication entirely. By sending a crafted HTTP request to an internal REST API endpoint, the threat actor instantly gains site admin privileges.
In its advisory, Cisco says this hole is due to insufficient validation and authentication when accessing REST API endpoints.
There are no workarounds; the only solution is to install software updates to address this vulnerability, which Cisco “strongly recommends.” Systems running version 4.0 should upgrade to 4.0.3.17. Those with version 3.10 should upgrade to version 3.10.8.3, while those still on version 3.9 and earlier should migrate to a newer, fixed release.
The vulnerability affects Secure Workload Cluster Software in both SaaS and on-prem deployments, regardless of device configuration, but only affects internal REST APIs, and doesn’t impact the web-based management interface. However, only those using the on-prem version need to act; Cisco has already patched the SaaS product.
As of Wednesday, Cisco wasn’t aware of malicious use of the vulnerability.
‘Treat it as an active threat’
The good news, Chagnon said, is that Cisco’s own security team discovered and disclosed this vulnerability, publishing a patch at the same time as the advisory. And, he added, there are no known signs of exploitation in the wild, and no public disclosure preceded Cisco’s own announcement.
While the SaaS version of the platform has already been patched by Cisco, he said, admins running Cisco Secure Workload on-premises shouldn’t treat this as something to be fixed during routine patch cycle. “Given the nature of this vulnerability, a perfect CVSS score, no authentication required, and no available workarounds, organizations should treat this as they would an active threat,” he said.
This is not the only critical bug that Cisco admins have faced recently, but it’s the highest rated in severity. In April, admins had to replace an identity provider certificate in Webex Control Hub as part of a fix to address a vulnerability rated 9.8 in severity. In January, patches were released to close a critical remote code execution vulnerability in Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. And in December, Cisco warned that a China-linked hacking group was actively exploiting a zero day vulnerability in its Secure Email appliances.
No Responses