Full Report
Switchzilla says attackers could access sensitive data and make configuration changes across tenant boundaries through vulnerable internal APIs
Analysis Summary
# Vulnerability: Cisco Secure Workload Administrative Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-20223
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Not specified in the source (typically related to Improper Authentication or Broken Access Control)
## Affected Systems
- **Products:** Cisco Secure Workload Cluster Software (On-premises and SaaS)
- **Versions:**
- Version 3.10 and earlier
- Version 4.0
- **Configurations:** Systems running internal REST APIs without the specific security patches.
## Vulnerability Description
The vulnerability exists due to insufficient validation and authentication checks within internal REST API endpoints of the Cisco Secure Workload platform. Unlike flaws in a web management interface, this issue resides in the underlying API layer, allowing an attacker to bypass standard authentication mechanisms.
## Exploitation
- **Status:** Not aware of active exploitation; discovered during internal security testing. No public PoC mentioned.
- **Complexity:** Low (Requires no credentials or user interaction).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Ability to read sensitive data across tenant boundaries).
- **Integrity:** High (Ability to make configuration changes with Site Admin privileges).
- **Availability:** High (Potential for unauthorized administrative configuration changes).
## Remediation
### Patches
Cisco has released updates to address this vulnerability. Customers are advised to upgrade to the following versions:
- **For 3.10 users:** Upgrade to **3.10.8.3** or later.
- **For 4.0 users:** Upgrade to **4.0.3.17** or later.
- **Legacy versions (3.9 and earlier):** No patch available; customers must migrate to a supported fixed release.
- **SaaS Deployments:** Cisco-hosted environments have been patched automatically; no customer action is required.
### Workarounds
- **None:** There are no known workarounds for this vulnerability. Installation of the software update is the only remediation.
## Detection
- **Indicators of Compromise:** Monitor logs for unusual or unauthorized administrative API requests, particularly those originating from unexpected sources or accessing resources across different tenant IDs.
- **Detection Methods:** Audit Site Admin configuration changes and data access logs for inconsistencies.
## References
- **Vendor Advisory:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-20223