Cisco Discloses CVSS 10.0 Unauthenticated Admin Takeover Bug in Secure Workload Platform
Cisco has disclosed CVE-2026-20223, a CVSS 10.0 vulnerability in Secure Workload Cluster Software that lets unauthenticated attackers gain Site Admin privileges via crafted API requests.
Cisco dropped another perfect-10 security bomb this week, warning that unauthenticated attackers can seize full Site Admin control of its Secure Workload platform simply by sending specially crafted API requests. The vulnerability, tracked as CVE-2026-20223, carries the maximum CVSS 4.0 base score of 10.0 and affects both the cloud-hosted SaaS and on-premises versions of Cisco Secure Workload Cluster Software.
The flaw exists in internal REST API endpoints that lack proper validation and authentication checks. Cisco's advisory explains that an attacker can send a malicious API request to an internal REST endpoint and, without needing credentials, user interaction, or any prior access, elevate their privileges to Site Admin. Once in that role, the attacker can read sensitive tenant data and make configuration changes across tenant boundaries — a cross-tenant access scenario that undermines the core isolation promise of multi-tenant cloud infrastructure.
Cisco Secure Workload is a network security and analytics platform used to enforce micro-segmentation, monitor traffic, and detect threats across hybrid cloud environments. It is deployed by large enterprises and service providers to manage workload security policies. The vulnerability's cross-tenant nature means that a breach in one customer segment could leak into another, making it particularly dangerous for organizations operating in shared infrastructure models.
The company has confirmed that there are no workarounds. Customers must upgrade to fixed versions: Secure Workload version 3.10 must be updated to 3.10.8.3, and version 4.0 to 4.0.3.17. Those running version 3.9 or earlier are advised to migrate to a supported release. Cisco's SaaS-hosted deployments have already been patched automatically, requiring no customer action.
Cisco stated it discovered the vulnerability during internal security testing and that it is not aware of any active exploitation in the wild. However, flaws carrying a perfect 10 CVSS score that require no authentication and no user interaction often attract rapid attention from threat actors. The disclosure comes less than a week after Cisco patched another maximum-severity flaw affecting SD-WAN systems that similarly allowed privilege escalation to admin level.
The pattern is becoming uncomfortable for Cisco: a steady drumbeat of 9.8-plus vulnerabilities across its product portfolio, spanning firewalls, management platforms, identity systems, and now workload security. Each new 10.0 advisory erodes confidence in the company's secure-by-default posture. For organizations running Cisco Secure Workload — especially in multi-tenant environments — the upgrade window just closed to zero.
Cisco has now released patches for CVE-2026-20223, confirming the fix is included in Secure Workload versions 3.10.8.3 and 4.0.3.17. The advisory also notes that the vulnerability affects both SaaS and on-premises deployments, though no in-the-wild exploitation has been observed. Alongside this critical fix, Cisco addressed three medium-severity bugs in ThousandEyes and Nexus switches that could enable remote code execution or denial-of-service conditions.