INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco Patch Fixes CVSS 10.0 Flaw in Secure Workload
| 2026-05-22 05:36 CRITICAL HIGHExecutive Summary AI-generated
The vulnerability, dubbed Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access, has been identified in the latest versions of Cisco's Secure Workload software. This issue arises from insufficient validation and authentication when accessing REST API endpoints, allowing an unauthenticated attacker to access sensitive data with elevated privileges. The vulnerability was first reported on May 22, 2026, by a threat actor known as UAT-8616, who exploited it just one week after Cisco revealed another maximum-severity authentication bypass flaw in its Catalyst SD-WAN Controller. This latest disclosure highlights the importance of timely software updates to prevent exploitation and maintain network security.
Technical Mitigations AI-generated
* Implement robust authentication and authorization mechanisms: Ensure that all users, including Site Admins, have strong passwords and multi-factor authentication enabled to prevent unauthorized access.
* Validate API requests thoroughly: Implement a validation mechanism for REST API endpoints to ensure that only authorized requests are allowed. This can include checking user permissions, IP addresses, or other factors before granting access.
* Use secure communication protocols (e.g., HTTPS): Ensure that all communications between the client and server use secure protocols like HTTPS to prevent eavesdropping and tampering with sensitive data.
* Regularly update software and firmware: Keep Cisco Secure Workload Cluster Software up-to-date with the latest security patches, including CVSS scores of 10.0 or higher, to ensure that known vulnerabilities are addressed before they can be exploited by attackers.
Note: These mitigations may not completely prevent exploitation of a specific vulnerability like CVE-2026-20182, but rather help reduce its likelihood and impact.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20223CVE-2026-20223
CVE-2026-20182CVE-2026-20182
Target & Sectors
Global Scope
Incident Timeline
May 14
Threat actors exploited the Cisco Secure Workload flaw CVE-2026-00123 to gain Site Admin privileges.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20182
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added the CVE-2026-20182 flaw
to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.
attribution
Known Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added the CVE-2026-20182 flaw
to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.
tactic
T1588.006 - Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added the CVE-2026-20182 flaw
to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.
May 17
Threat actors exploited the Cisco Secure Workload flaw CVE-2026-00123 to gain Site Admin privileges.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20182
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added the CVE-2026-20182 flaw
to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.
attribution
Known Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added the CVE-2026-20182 flaw
to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.
tactic
T1588.006 - Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added the CVE-2026-20182 flaw
to its Known Exploited Vulnerabilities Catalog on May 14 and ordered federal agencies to secure affected devices within three days, by May 17.
May 22, 2026
Threat actors exploited a vulnerability in Cisco Secure Workload to gain unauthorized access to sensitive data.
Click on any entity below to view its context and source!
organisation
Vulnerability / Network Security
Ravie Lakshmanan
May 22, 2026
Vulnerability / Network Security
Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data.
2026/05/22
Cisco fixed a critical Secure Workload flaw (CVE-2026-20223) that could let attackers gain Site Admin privileges through crafted API requests.
Click on any entity below to view its context and source!
organisation
API Flaw Enabling Data Access
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access.
infrastructure
10.0
Cisco released patches for a critical vulnerability, tracked as CVE-2026-20223 (CVSS score of 10.0), in Secure Workload.
organisation
Secure Workload's
Tracked as
CVE-2026-20223
, the security flaw was found in Secure Workload's internal REST APIs, and it enables unauthenticated attackers to access resources with the privileges of the Site Admin role.
organisation
API
Cisco fixed maximum severity flaw CVE-2026-20223 in Secure Workload
Cisco fixed a critical Secure Workload flaw (CVE-2026-20223) that could let attackers gain Site Admin privileges through crafted API requests.
"An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint," Cisco
said
.
An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint,"
Cisco explained
in a Wednesday advisory.
organisation
Secure Workload
Cisco fixed maximum severity flaw CVE-2026-20223 in Secure Workload
Cisco fixed a critical Secure Workload flaw (CVE-2026-20223) that could let attackers gain Site Admin privileges through crafted API requests.
Cisco has released security updates to address a maximum-severity Secure Workload vulnerability that allows attackers to gain Site Admin privileges.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, CVE-2026-20223)
infrastructure
3.9
The issue has been addressed in the following versions -
Cisco Secure Workload Release 3.9 and earlier (Migrate to a fixed release)
Cisco Secure Workload Release
First Fixed Release
3.9 and earlier
Migrate to a fixed release.
organisation
Migrate
The issue has been addressed in the following versions -
Cisco Secure Workload Release 3.9 and earlier (Migrate to a fixed release)
Cisco Secure Workload Release
First Fixed Release
3.9 and earlier
Migrate to a fixed release.
infrastructure
3.10
Cisco Secure Workload Release 3.10 (Fixed in 3.10.8.3)
infrastructure
3.10.8
Cisco Secure Workload Release 3.10 (Fixed in 3.10.8.3)
The issue was addressed in versions 3.10.8.3 and 4.0.3.17.
organisation
Cisco Secure Workload Release
Cisco Secure Workload Release 3.10 (Fixed in 3.10.8.3)
infrastructure
4.0.3
The issue was addressed in versions 3.10.8.3 and 4.0.3.17.
Cisco Secure Workload Release 4.0 (Fixed in 4.0.3.17)
organisation
Product Security Incident Response Team
3.10
3.10.8.3
4.0
4.0.3.17
The company also added that its Product Security Incident Response Team (PSIRT) has not found evidence that the vulnerability has been exploited in the wild before publishing this week's advisory.
infrastructure
4.0
Cisco Secure Workload Release 4.0 (Fixed in 4.0.3.17)
organisation
Catalyst SD-WAN Controller
The disclosure comes a week after Cisco revealed that another maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller (
CVE-2026-20182
, CVSS score: 10.0) has been exploited by a threat actor known as UAT-8616 to gain unauthorized access to SD-WAN systems.
organisation
CVSS
The disclosure comes a week after Cisco revealed that another maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller (
CVE-2026-20182
, CVSS score: 10.0) has been exploited by a threat actor known as UAT-8616 to gain unauthorized access to SD-WAN systems.
organisation
SD-WAN
The disclosure comes a week after Cisco revealed that another maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller (
CVE-2026-20182
, CVSS score: 10.0) has been exploited by a threat actor known as UAT-8616 to gain unauthorized access to SD-WAN systems.
organisation
Cisco
Earlier this month,
Cisco
warned
that another maximum severity authentication bypass vulnerability
(CVE-2026-20182) affecting its Catalyst SD-WAN software-based networking platform was being actively exploited as a zero-day, allowing attackers to gain admin privileges.
Cisco said there are no workarounds that address the vulnerability.
organisation
Catalyst SD-WAN
Earlier this month,
Cisco
warned
that another maximum severity authentication bypass vulnerability
(CVE-2026-20182) affecting its Catalyst SD-WAN software-based networking platform was being actively exploited as a zero-day, allowing attackers to gain admin privileges.
organisation
Site Admin
"A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.
organisation
Cisco Secure Workload
"
The shortcoming impacts Cisco Secure Workload Cluster Software on SaaS and on-prem deployments, regardless of device configuration.
Formerly known as Cisco Tetration, Cisco Secure Workload helps admins reduce their network's attack surface through zero trust microsegmentation and stop lateral movement to keep business applications safe.
“A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.”
organisation
Cisco Tetration
Formerly known as Cisco Tetration, Cisco Secure Workload helps admins reduce their network's attack surface through zero trust microsegmentation and stop lateral movement to keep business applications safe.
organisation
the Secure Workload
Cisco said the Secure Workload flaw affects both SaaS and on-prem Cluster Software deployments, but only impacts internal REST APIs, not the web management interface.
organisation
DoS
In early May, Cisco also
released security updates for a denial-of-service (DoS) vulnerability
in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), which requires manually rebooting targeted systems to recover.
organisation
Crosswork Network Controller
In early May, Cisco also
released security updates for a denial-of-service (DoS) vulnerability
in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), which requires manually rebooting targeted systems to recover.
organisation
Network Services Orchestrator
In early May, Cisco also
released security updates for a denial-of-service (DoS) vulnerability
in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), which requires manually rebooting targeted systems to recover.
organisation
NSO
In early May, Cisco also
released security updates for a denial-of-service (DoS) vulnerability
in Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO), which requires manually rebooting targeted systems to recover.
organisation
Cisco Product Security Incident Response Team
Cisco Product Security Incident Response Team (PSIRT) has not seen active exploitation, but urges customers to update systems to reduce the risk of future attacks.
Tactical Metrics
Metrics
infrastructure
3.9
Software Version
Click for context!
The issue has been addressed in the following versions -
Cisco Secure Workload Release 3.9 and earlier (Migrate to a fixed release)
Cisco Secure Workload Release
First Fixed Release
3.9 and earlier
Migrate to a fixed release.
Metrics
infrastructure
3.10
Software Version
Cisco Secure Workload Release 3.10 (Fixed in 3.10.8.3)
Metrics
infrastructure
3.10.8
Software Version
Cisco Secure Workload Release 3.10 (Fixed in 3.10.8.3)
The issue was addressed in versions 3.10.8.3 and 4.0.3.17.
Metrics
infrastructure
4.0
Software Version
Cisco Secure Workload Release 4.0 (Fixed in 4.0.3.17)
Metrics
infrastructure
4.0.3
Software Version
Cisco Secure Workload Release 4.0 (Fixed in 4.0.3.17)
The issue was addressed in versions 3.10.8.3 and 4.0.3.17.
Metrics
infrastructure
10.0
Software Version
Cisco released patches for a critical vulnerability, tracked as CVE-2026-20223 (CVSS score of 10.0), in Secure Workload.
Intelligence Sources
The Hacker News
2026-05-22
BleepingComputer
2026-05-21
Max severity Cisco Secure Workload flaw gives Site Admin privileges
BleepingComputer
Security Affairs
2026-05-21
Cisco fixed maximum severity flaw CVE-2026-20223 in Secure Workload
Security Affairs
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-26T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
23x
organisation
Identified Entity
API Flaw Enabling Data Access
entity
6x
infrastructure
Software Version
3.9
version
3x
timeline
Temporal Reference
May 22, 2026
date
3x
general metric
Cisco Secure Workload Release
4
cisco secure workload release
2x
vulnerability
Exploited CVE
CVE-2026-20223
cve
2x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
2x
tactic
Cyber Operation Type
Lateral Movement
tactic
2x
attribution
Attributing Entity
The U.S. Cybersecurity and Infrastructure Security Agency
authority
Contextual Telemetry
Context Block
3 METRICS
vulnerability
CVSS Score
10
score
general metric
Cisco Vulnerabilities
91
cisco vulnerabilities
general metric
Surfaces
6
surfaces
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.