Cisco has released security updates to address a maximum-severity Secure Workload vulnerability that allows attackers to gain Site Admin privileges.
Formerly known as Cisco Tetration, Cisco Secure Workload helps admins reduce their network’s attack surface through zero trust microsegmentation and stop lateral movement to keep business applications safe.
Tracked as CVE-2026-20223, the security flaw was found in Secure Workload’s internal REST APIs, and it enables unauthenticated attackers to access resources with the privileges of the Site Admin role.
“This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint,” Cisco explained in a Wednesday advisory.
“A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.”
Cisco says there are no workarounds for this security flaw, has released software updates to patch it for on-premises customers, and has already addressed it in the cloud-based Cisco Secure Workload SaaS deployment.
| Cisco Secure Workload Release | First Fixed Release |
|---|---|
| 3.9 and earlier | Migrate to a fixed release. |
| 3.10 | 3.10.8.3 |
| 4.0 | 4.0.3.17 |
The company also added that its Product Security Incident Response Team (PSIRT) has not found evidence that the vulnerability has been exploited in the wild before publishing this week’s advisory.
Earlier this month, Cisco warned that another maximum severity authentication bypass vulnerability (CVE-2026-20182) affecting its Catalyst SD-WAN software-based networking platform was being actively exploited as a zero-day, allowing attackers to gain admin privileges.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2026-20182 flaw to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.
In early May, Cisco also released security updates for a denial-of-service (DoS) vulnerability in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), which requires manually rebooting targeted systems to recover.
Over the past five years, CISA has flagged 91 Cisco vulnerabilities as actively exploited, six of which have been used by various ransomware gangs.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
