VYPR
Vypr IntelligenceAI-generatedMay 20, 2026· 4 CVEs

Cisco Patches Four Bugs: CVSS 10.0 Secure Workload Flaw Headlines Mixed Batch

Cisco disclosed four vulnerabilities on May 20, 2026, led by a maximum-severity REST API flaw in Secure Workload (CVE-2026-20223, CVSS 10.0) alongside medium-severity bugs in ThousandEyes and Nexus switches.

Key findings

  • CVE-2026-20223 is a CVSS 10.0 unauthenticated REST API flaw in Cisco Secure Workload granting Site Admin privileges
  • Two medium-severity bugs affect ThousandEyes: command execution via BrowserBot (CVE-2026-20206) and root-level command injection via SSL cert handling (CVE-2026-20199)
  • CVE-2026-20171 in Nexus 3000/9000 series BGP enforce-first-as can trigger DoS via BGP peer flaps
  • No in-the-wild exploitation reported for any of the four CVEs as of May 20, 2026
  • Secure Workload flaw affects both SaaS and on-prem deployments with no configuration-based mitigations

Cisco released advisories on May 20, 2026, for four vulnerabilities spanning three product lines — Secure Workload, ThousandEyes, and Nexus switches — headlined by a rare CVSS 10.0 flaw that lets unauthenticated attackers gain Site Admin privileges in Cisco Secure Workload.

The most urgent of the batch is **CVE-2026-20223** (CVSS 10.0, Critical), a vulnerability in the access validation of internal REST APIs in Cisco Secure Workload (formerly Cisco Tetration). The flaw affects both SaaS and on-prem deployments of Secure Workload Cluster Software, regardless of device configuration. According to Cisco's advisory, the issue stems from insufficient validation and authentication when accessing REST API endpoints. An unauthenticated, remote attacker can send a crafted API request to an affected endpoint and read sensitive information or make configuration changes across tenant boundaries with the privileges of the Site Admin role. No credentials, user interaction, or special access is required. The vulnerability was widely covered by BleepingComputer, SecurityWeek, The Hacker News, and The Register, with multiple outlets noting it as yet another "perfect 10" bug in Cisco's portfolio. No in-the-wild exploitation has been publicly reported as of the disclosure date.

Two medium-severity vulnerabilities were disclosed in the Cisco ThousandEyes product line. **CVE-2026-20206** (CVSS 6.3, Medium) affects the BrowserBot component of the Cisco ThousandEyes Enterprise Agent. An authenticated, remote attacker could exploit this flaw to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed the vulnerability in the ThousandEyes Enterprise Agent, and users should ensure they are running the latest version.

**CVE-2026-20199** (CVSS 4.7, Medium) affects the SSL certificate handling of the Cisco ThousandEyes Virtual Appliance. An authenticated, remote attacker could exploit insufficient validation of user-supplied input to execute commands on the underlying operating system as the root user. While the CVSS score is lower, the root-level command execution potential makes this a significant concern for organizations running the virtual appliance in sensitive environments.

The fourth vulnerability, **CVE-2026-20171** (CVSS 6.8, Medium), resides in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode. An unauthenticated, remote attacker can trigger BGP peer flaps, resulting in a denial of service (DoS) condition. Given the critical role Nexus switches play in data center fabric architectures, BGP peering disruptions could have cascading effects on network stability.

Cisco has released software updates addressing all four vulnerabilities. For CVE-2026-20223, the Secure Workload fix is available through Cisco's standard software update channels. ThousandEyes fixes are delivered through the ThousandEyes platform's automatic update mechanism. Nexus switch administrators should consult Cisco's advisory for the specific NX-OS release that patches CVE-2026-20171. No workarounds were published for any of the four CVEs at the time of disclosure.

This batch is notable for its diversity — spanning a zero-authentication critical API flaw, authenticated command injection in monitoring agents, and a BGP DoS in data-center switching — rather than a single product line. Secure Workload administrators should treat CVE-2026-20223 as an immediate priority given its maximum CVSS score and lack of authentication requirements, while ThousandEyes and Nexus teams should schedule patching according to their operational risk posture.

AI-written article. Grounded in 4 CVE records listed below.