A critical vulnerability has been identified in the Cisco Secure Workload security platform’s on-premises version, rated at maximum severity. This flaw allows an unauthenticated threat actor to gain site admin privileges, potentially enabling them to compromise endpoints and read or modify sensitive configuration data. The urgency of addressing this vulnerability is emphasized by consultant Robert Enderle, who warns that if an attacker controls this platform, they effectively have access to the entire network’s security policies.
Fred Chagnon from Info-Tech Research Group highlights that an attacker could easily modify or dismantle security policies, thereby reopening doors that were deliberately designed to be closed. The impact could be particularly severe in a multi-tenant environment, where multiple business units or customers could have their data exposed or compromised.
Cisco has assigned this vulnerability, identified as CVE-2026-20223, a maximum CVSS score of 10.0 due to its capability for unauthenticated, remote attackers to bypass authentication entirely. By sending a specific HTTP request to an internal REST API endpoint, attackers can instantly acquire site admin rights.
The root cause of this vulnerability lies in insufficient validation and authentication protocols during access attempts to REST API endpoints. Cisco has indicated that there are no workarounds available and has strongly advised users to install the required software updates. Those using version 4.0 should upgrade to 4.0.3.17, while those on version 3.10 should move to 3.10.8.3, and users on version 3.9 or earlier need to migrate to a fixed release.
This issue affects the Secure Workload Cluster Software in both SaaS and on-premises deployments across all device configurations, but only impacts internal REST APIs, leaving the web-based management interface unaffected. Customers utilizing the SaaS version have already received the necessary patch.
Currently, there are no reports of malicious exploitation of this vulnerability. Nonetheless, Chagnon advises that organizations should treat this situation with utmost seriousness and apply the fix immediately, rather than waiting for the next routine patch cycle. Given the critical score of this vulnerability and the complete lack of necessary authentication measures, it should be treated as an active threat.
This isn’t the only recent vulnerability faced by Cisco admins, but it is marked as the highest in severity. Other recent critical vulnerabilities included issues in Webex Control Hub and various applications such as Unified Communications Manager and Secure Email appliances.
