{"id":8230,"date":"2026-05-21T22:39:20","date_gmt":"2026-05-21T22:39:20","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8230"},"modified":"2026-05-21T22:39:20","modified_gmt":"2026-05-21T22:39:20","slug":"critical-vulnerability-in-cisco-secure-workload-rated-at-maximum-severity","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8230","title":{"rendered":"Critical vulnerability in Cisco Secure Workload rated at maximum severity"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A critical vulnerability in the on-premises version of the Cisco Secure Workload security platform could allow a threat actor to obtain the privileges of a site admin, enabling them to compromise endpoints and read or modify configuration data.<\/p>\n<p>\u201cCSOs need to drop what they are doing and patch this immediately,\u201d warned consultant <a href=\"https:\/\/www.linkedin.com\/in\/rob-enderle-03729\/\" target=\"_blank\" rel=\"noopener\">Robert Enderle<\/a>, who heads the Enderle Group. \u201cCisco Secure Workload manages zero trust, micro-segmentation, and enterprise-wide network visibility. If an attacker controls the platform that dictates your security policies, they effectively own the map and the keys to your entire network kingdom.\u201d<\/p>\n<p>\u201cThis is the absolute worst-case scenario,\u201d he added. \u201cBecause of how vital this platform is to large enterprises, threat actors will be aggressively scanning for unpatched API endpoints to exploit.\u201d<\/p>\n<p>The urgency of addressing this immediately was echoed by <a href=\"https:\/\/www.infotech.com\/profiles\/fred-chagnon\" target=\"_blank\" rel=\"noopener\">Fred Chagnon<\/a>, principal research director at Info-Tech Research Group. An attacker could modify or dismantle an enterprise\u2019s security policies, he pointed out, effectively opening doors within the environment that were deliberately closed.<\/p>\n<h2 class=\"wp-block-heading\">\u2018Blast radius could be significant\u2019<\/h2>\n<p>\u201cBecause this access operates at the site admin level and crosses tenant boundaries,\u201d he added, \u201cthe blast radius in a multi-tenant deployment could be significant, potentially exposing or compromising workloads and data belonging to multiple business units or customers.\u201d<\/p>\n<p>Cisco assigned this flaw (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-20223\" target=\"_blank\" rel=\"noopener\">CVE-2026-20223<\/a>) a maximum CVSS score of 10.0 because it allows an unauthenticated, remote attacker to bypass authentication entirely. By sending a crafted HTTP request to an internal REST API endpoint, the threat actor instantly gains site admin privileges.<\/p>\n<p><a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-csw-pnbsa-g8WEnuy\" target=\"_blank\" rel=\"noopener\">In its advisory<\/a>, Cisco says this hole is due to insufficient validation and authentication when accessing REST API endpoints.\u00a0<\/p>\n<p>There are no workarounds; the only solution is to install software updates to address this vulnerability, which Cisco \u201cstrongly recommends.\u201d Systems running version 4.0 should upgrade to 4.0.3.17. Those with version 3.10 should upgrade to version 3.10.8.3, while those still on version 3.9 and earlier should migrate to a newer, fixed release.<\/p>\n<p>The vulnerability affects Secure Workload Cluster Software in both SaaS and on-prem deployments, regardless of device configuration, but only affects internal REST APIs, and doesn\u2019t impact the web-based management interface. However, only those using the on-prem version need to act; Cisco has already patched the SaaS product.<\/p>\n<p>As of Wednesday, Cisco wasn\u2019t aware of malicious use of the vulnerability.<\/p>\n<h2 class=\"wp-block-heading\">\u2018Treat it as an active threat\u2019<\/h2>\n<p>The good news, Chagnon said, is that Cisco\u2019s own security team discovered and disclosed this vulnerability, publishing a patch at the same time as the advisory. And, he added, there are no known signs of exploitation in the wild, and no public disclosure preceded Cisco\u2019s own announcement.<\/p>\n<p>While the SaaS version of the platform has already been patched by Cisco, he said, admins running Cisco Secure Workload on-premises shouldn\u2019t treat this as something to be fixed during routine patch cycle. \u201cGiven the nature of this vulnerability, a perfect CVSS score, no authentication required, and no available workarounds, organizations should treat this as they would an active threat,\u201d he said.\u00a0<\/p>\n<p>This is not the only critical bug that Cisco admins have faced recently, but it\u2019s the highest rated in severity. In April, admins had to <a href=\"https:\/\/www.csoonline.com\/article\/4159827\/cisco-systems-issues-three-advisories-for-critical-vulnerabilities-in-webex-ise.html\" target=\"_blank\" rel=\"noopener\">replace an identity provider certificate<\/a> in Webex Control Hub as part of a fix to address a vulnerability rated 9.8 in severity. In January, patches were released to close <a href=\"https:\/\/www.csoonline.com\/article\/4120613\/actively-exploited-cisco-uc-bug-requires-immediate-version%E2%80%91specific-patching.html\" target=\"_blank\" rel=\"noopener\">a critical remote code execution vulnerability<\/a> in Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. And in December, Cisco warned that a China-linked hacking group was <a href=\"https:\/\/www.csoonline.com\/article\/4108496\/cisco-confirms-zero-day-exploitation-of-secure-email-products.html\" target=\"_blank\" rel=\"noopener\">actively exploiting a zero day vulnerability<\/a> in its Secure Email appliances.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A critical vulnerability in the on-premises version of the Cisco Secure Workload security platform could allow a threat actor to obtain the privileges of a site admin, enabling them to compromise endpoints and read or modify configuration data. \u201cCSOs need to drop what they are doing and patch this immediately,\u201d warned consultant Robert Enderle, who [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8231,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8230"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8230"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8230\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8231"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}