HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Remote Code Execution in Cisco Secure Workload (CVE‑2026‑20223) Enables Site‑Admin Takeover

Cisco Secure Workload contains a CVSS 10.0 API validation flaw (CVE‑2026‑20223) that lets unauthenticated attackers gain Site‑Admin rights. The issue affects both SaaS and on‑prem deployments, posing a severe supply‑chain risk for organizations that rely on Cisco’s workload security platform.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Critical Remote Code Execution in Cisco Secure Workload (CVE‑2026‑20223) Enables Site‑Admin Takeover

What It Is – Cisco Secure Workload (formerly Tetration) contained a critical flaw (CVE‑2026‑20223) in its internal REST API validation. The vulnerability allows an unauthenticated remote attacker to issue crafted API calls and obtain Site‑Admin privileges, granting full read/write control over tenant resources.

Exploitability – The vulnerability scores a perfect CVSS 10.0. Cisco’s PSIRT reports no known active exploitation, but a public PoC exists and the attack surface (any reachable API endpoint) is trivial to weaponize.

Affected Products – Cisco Secure Workload SaaS and on‑premises Cluster Software (versions 3.10.8.3 and 4.0.3.17 are patched). The issue is limited to internal REST API endpoints; the web UI is unaffected.

TPRM Impact – A compromised third‑party workload security platform can be leveraged to pivot across an organization’s container and micro‑service environments, exposing configuration secrets, data flows, and potentially enabling supply‑chain attacks on downstream services.

Recommended Actions

  • Verify current Secure Workload version; upgrade immediately to 3.10.8.3 or 4.0.3.17 (or later).
  • Conduct a post‑patch validation: confirm API endpoints reject unauthenticated requests and that no new admin accounts exist.
  • Restrict network access to the internal API (e.g., zero‑trust segmentation, mutual TLS).
  • Review audit logs for any anomalous API activity dating back to the last patch cycle.
  • Incorporate Secure Workload version checks into your third‑party risk monitoring program.

Source: SecurityAffairs – Cisco fixed maximum severity flaw CVE‑2026‑20223 in Secure Workload

📰 Original Source
https://securityaffairs.com/192473/security/cisco-fixed-maximum-severity-flaw-cve-2026-20223-in-secure-workload.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →