HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Cisco Secure Workload API Flaw (CVE‑2026‑20223) Enables Unauthenticated Site‑Admin Takeover

Cisco Secure Workload (formerly Tetration) contains a max‑severity REST‑API vulnerability (CVE‑2026‑20223) that lets unauthenticated actors gain Site Admin privileges, potentially compromising micro‑segmentation policies across tenants. Patches are available for on‑prem and SaaS deployments; no evidence of active exploitation has been observed.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Critical Cisco Secure Workload API Flaw (CVE‑2026‑20223) Grants Unauthenticated Site‑Admin Privileges

What Happened — Cisco disclosed a maximum‑severity vulnerability (CVE‑2026‑20223) in the internal REST APIs of Cisco Secure Workload (formerly Tetration). The flaw allows an unauthenticated attacker to issue crafted API calls and obtain Site Admin rights, enabling read of sensitive data and configuration changes across tenant boundaries. Cisco has released patches for on‑premise versions (3.10.8.3, 4.0.3.17) and already applied a fix to the SaaS offering; no evidence of exploitation in the wild has been found.

Why It Matters for TPRM

  • A compromised Site Admin can re‑configure micro‑segmentation policies, potentially exposing downstream third‑party services.
  • The vulnerability affects both on‑prem and cloud deployments, increasing supply‑chain risk for any organization that relies on Cisco Secure Workload to enforce zero‑trust controls.
  • Lack of a workaround forces immediate patching; delayed remediation may leave critical network segmentation controls ineffective.

Who Is Affected — Enterprises across all sectors that have deployed Cisco Secure Workload for network segmentation, including technology, finance, healthcare, and government.

Recommended Actions

  • Verify current Secure Workload version; upgrade to the fixed releases (≥ 3.10.8.3 or 4.0.3.17).
  • Conduct a focused audit of API authentication logs for any anomalous activity prior to patching.
  • Re‑evaluate segmentation policies to ensure they are not solely dependent on the compromised API.
  • Update third‑party risk registers to reflect the temporary elevation of risk until patches are confirmed.

Technical Notes — The flaw resides in insufficient validation/authentication of internal REST API endpoints, enabling unauthenticated access to Site Admin functions. No public exploit code is known; the vulnerability is classified as CVE‑2026‑20223 with a CVSS v3.1 base score of 9.8 (Critical). Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/cisco-max-severity-secure-workload-flaw-gives-hackers-site-admin-privileges/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →