Critical Remote Code Execution in Cisco Secure Workload (CVE‑2026‑20223) Enables Site‑Admin Takeover
What It Is – Cisco Secure Workload (formerly Tetration) contained a critical flaw (CVE‑2026‑20223) in its internal REST API validation. The vulnerability allows an unauthenticated remote attacker to issue crafted API calls and obtain Site‑Admin privileges, granting full read/write control over tenant resources.
Exploitability – The vulnerability scores a perfect CVSS 10.0. Cisco’s PSIRT reports no known active exploitation, but a public PoC exists and the attack surface (any reachable API endpoint) is trivial to weaponize.
Affected Products – Cisco Secure Workload SaaS and on‑premises Cluster Software (versions 3.10.8.3 and 4.0.3.17 are patched). The issue is limited to internal REST API endpoints; the web UI is unaffected.
TPRM Impact – A compromised third‑party workload security platform can be leveraged to pivot across an organization’s container and micro‑service environments, exposing configuration secrets, data flows, and potentially enabling supply‑chain attacks on downstream services.
Recommended Actions –
- Verify current Secure Workload version; upgrade immediately to 3.10.8.3 or 4.0.3.17 (or later).
- Conduct a post‑patch validation: confirm API endpoints reject unauthenticated requests and that no new admin accounts exist.
- Restrict network access to the internal API (e.g., zero‑trust segmentation, mutual TLS).
- Review audit logs for any anomalous API activity dating back to the last patch cycle.
- Incorporate Secure Workload version checks into your third‑party risk monitoring program.
Source: SecurityAffairs – Cisco fixed maximum severity flaw CVE‑2026‑20223 in Secure Workload