Skip to main content
Emerging Threats

Cisco Exposes New Zero-Auth Vulnerability in Secure Workload Platform

Server rack in a data center with exposed vulnerabilities under ambient light.

"read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user." — Cisco

CVE-2026-20223: what the flaw is and how it works

Cisco has assigned a full 10.0 CVSS score to a vulnerability in its Secure Workload platform tracked as CVE-2026-20223. According to Cisco's advisory, the root cause is weak validation and authentication checks in internal REST API endpoints. The company said attackers can exploit the flaw without credentials, user interaction, or significant effort. Cisco warned a successful attack could let remote actors read sensitive information and make configuration changes across tenant boundaries while operating with the privileges of the Site Admin user.

Affected products, fixed releases, and deployment status

The vulnerability affects Cisco Secure Workload Cluster Software in both SaaS and on-premises deployments. Cisco listed fixed builds: Secure Workload 3.10 is fixed in version 3.10.8.3, and 4.0 is fixed in 4.0.3.17. Customers running version 3.9 or earlier were advised to migrate to a supported fixed release. Cisco also said its cloud-hosted SaaS deployments have already been patched and require no customer action. The vendor stated there are currently no workarounds and that customers must install the fixed releases to fully remediate the issue.

Why internal REST API flaws and cross-tenant impact matter

Cisco's advisory emphasized the issue affects internal REST APIs rather than the platform's web management interface. The Register noted the distinction is unlikely to comfort administrators given the 10.0 severity score. Cross-tenant vulnerabilities are particularly consequential for cloud customers because they violate the core assumption of multi-tenant infrastructure: that another tenant's compromise should not become your problem. The advisories make clear this bug could span tenant boundaries while granting Site Admin privileges.

Detection, exploitation status, and provenance of the report

Cisco said the flaw was discovered during internal security testing and that it is not aware of active exploitation. The Register’s coverage highlighted that vulnerabilities carrying a 10.0 score and requiring no authentication "rarely stay quiet for long." The disclosure comes less than a week after Cisco published another maximum severity advisory for an SD‑WAN issue that could allow attackers to grant themselves administrator privileges, continuing a recent run of high-severity infrastructure advisories.

What this means for cloud customers, security teams, and procurement leaders

  • Cloud customers: SaaS customers running Cisco's cloud-hosted Secure Workload need not act—the vendor said those deployments are already patched. On-premises tenants should verify their Secure Workload version and schedule upgrades to the fixed releases (3.10.8.3 or 4.0.3.17) or migrate from unsupported 3.9 or earlier builds.
  • Security teams and administrators: Because Cisco reported no available workaround, remediation requires installing the fixed releases. Teams must treat this as high-priority given the lack of authentication required to exploit the vulnerability and its potential for cross-tenant impact.
  • Procurement and risk officers: The disclosure follows another near-concurrent maximum-severity advisory and part of a string of 9.8-plus infrastructure flaws Cisco has disclosed over the past year across firewalls, management platforms, identity systems, and enterprise networking gear, a pattern The Register described as frequent 10.0 advisories rather than rare events.

Customers and defenders are left with a narrow path: verify whether their environment is SaaS (already patched) or on-premises, identify running Secure Workload versions, and apply the fixed releases Cisco published. Cisco reported internal discovery and no known active exploitation, but the combination of no-auth exploitability and a 10.0 score makes rapid remediation the practical imperative.

Original story (The Register)