Skip to main content
CybersecurityVulnerability Management

Cisco Secure Workload Flaw Exposes Site Admin Privileges

IT professionals work in a network operations center with a laptop displaying a blurred REST API endpoint.

CVE-2026-20223 is a maximum-severity vulnerability in Cisco Secure Workload that lets unauthenticated actors gain the privileges of the Site Admin role, Cisco warned in a Wednesday advisory.

How CVE-2026-20223 works

Cisco says the flaw resides in Secure Workload's internal REST APIs and "is due to insufficient validation and authentication when accessing REST API endpoints." An attacker, the company added, "could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint." If successfully exploited, the vulnerability "could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user."

Cisco's remediation: on‑prem patches, SaaS already fixed, no workarounds

The vendor has released software updates to patch the bug for on‑premises customers and says it has already addressed the issue in the cloud‑based Cisco Secure Workload SaaS deployment. Cisco also cautioned that there are no workarounds for the vulnerability. Cisco's Product Security Incident Response Team (PSIRT) reported it "has not found evidence that the vulnerability has been exploited in the wild before publishing this week's advisory."

Recent pattern: other high‑severity Cisco flaws and CISA actions

This advisory arrives amid a string of high‑severity Cisco fixes this month. Earlier in May, Cisco disclosed another maximum‑severity authentication bypass (CVE-2026-20182) affecting its Catalyst SD‑WAN software platform; Cisco said that flaw was being actively exploited as a zero‑day and allowed attackers to gain admin privileges. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.

Also in early May, Cisco released updates for a denial‑of‑service vulnerability in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), noting that recovery from that issue requires manually rebooting targeted systems. Over the past five years, CISA has flagged 91 Cisco vulnerabilities as actively exploited, six of which have been associated with ransomware gangs.

What this means for technologists, federal agencies, and enterprises

  • Technologists and security teams: With no available workarounds, teams running Secure Workload on‑premises must install Cisco's updates to remove the vulnerability; SaaS customers can confirm whether the vendor's cloud mitigation is in place.
  • Federal agencies and regulators: CISA's recent three‑day directive for CVE-2026-20182 underscores the speed at which agencies may be asked to act when active exploitation is observed — a precedent that shapes expectations for response times to other high‑severity Cisco flaws.
  • Affected enterprises and procurement leaders: The proximity of multiple high‑severity fixes in a short window — including an actively exploited SD‑WAN zero‑day and a DoS issue requiring reboots — highlights the operational impacts of emergency patching and the value of tracking whether deployments are on‑prem or SaaS.

Conclusion

Cisco's disclosure of CVE-2026-20223 describes a straightforward but dangerous failure of API authentication that can yield Site Admin privileges and cross‑tenant impact. The vendor has patched on‑premises deployments and fixed its SaaS offering, and PSIRT reports no known in‑the‑wild exploitation to date. Still, recent active exploitation of CVE-2026-20182 and CISA's rapid enforcement steps earlier this month provide a reminder: when maximum‑severity authentication bypasses are in play, rapid patching and operational readiness matter.

Original reporting: https://www.bleepingcomputer.com/news/security/cisco-max-severity-secure-workload-flaw-gives-hackers-site-admin-privileges/