Full Report
Cisco has released security updates to address a maximum-severity vulnerability in Secure Workload that allows attackers to gain Site Admin privileges. [...]
Analysis Summary
# Vulnerability: Cisco Secure Workload Unauthenticated REST API Access
## CVE Details
- **CVE ID:** CVE-2026-20223
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Insufficient validation and authentication for REST API endpoints.
## Affected Systems
- **Products:** Cisco Secure Workload (formerly Cisco Tetration)
- **Versions:**
- 3.9 and earlier
- 3.10
- 4.0
- **Configurations:** Appears to affect both on-premises and SaaS deployments.
## Vulnerability Description
The vulnerability exists within the internal REST APIs of Cisco Secure Workload. It stems from insufficient validation and authentication mechanisms when accessing specific API endpoints. An unauthenticated attacker can exploit this by sending a specially crafted API request to a vulnerable endpoint, granting them the ability to perform actions with the high-level privileges of a Site Admin.
## Exploitation
- **Status:** Not exploited (No evidence of exploitation in the wild as of the advisory release).
- **Complexity:** Low (Requires sending a crafted API request).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Ability to read sensitive information across tenant boundaries).
- **Integrity:** High (Ability to make configuration changes across tenant boundaries).
- **Availability:** High (Potential to disrupt services through unauthorized configuration changes).
## Remediation
### Patches
Cisco has released the following updates to address this vulnerability:
| Affected Release | First Fixed Release |
| :--- | :--- |
| **3.9 and earlier** | Migrate to a fixed release (3.10.8.3 or 4.0.3.17) |
| **3.10** | 3.10.8.3 |
| **4.0** | 4.0.3.17 |
**Note for SaaS Customers:** Cisco has already addressed this vulnerability in the cloud-based Cisco Secure Workload SaaS deployment; no action is required for SaaS users.
### Workarounds
- There are no workarounds available for this security flaw.
## Detection
- **Indicators of compromise:** Administrators should review audit logs for unauthorized configuration changes or unusual API requests originating from unauthenticated sources.
- **Detection methods and tools:** Monitor network traffic for unusual POST/GET requests directed at internal REST API endpoints of the Secure Workload instance.
## References
- **Vendor Advisory:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy
- **NVD Detail:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-20223
- **BleepingComputer Report:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/cisco-max-severity-secure-workload-flaw-gives-hackers-site-admin-privileges/