Uncategorized

Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw

1966woodenghost May 21, 2026 0

Security

Switchzilla says attackers could access sensitive data and make configuration changes across tenant boundaries through vulnerable internal APIs

Cisco has disclosed yet another perfect 10 vulnerability, this time warning that unauthenticated attackers could gain Site Admin privileges in its Secure Workload platform simply by sending crafted API requests to vulnerable systems.

The bug, tracked as CVE-2026-20223, earned the full 10.0 CVSS treatment and affects Cisco Secure Workload Cluster Software in both SaaS and on-prem environments. According to Cisco’s barebones advisory, the issue boils down to weak validation and authentication checks in internal REST API endpoints.

In practical terms, that means attackers don’t require credentials, user interaction, or any significant effort to exploit the bug. Cisco said a successful attack could allow remote attackers to “read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.”

Cross-tenant bugs tend to make cloud customers especially twitchy because they undermine one of the core assumptions of multi-tenant infrastructure: namely that somebody else’s compromise is not supposed to become your problem.

Cisco noted that the flaw affects internal REST APIs rather than the platform’s web management interface, although that distinction is unlikely to bring much comfort to admins staring at a 10.0 severity score.

The networking giant said there are currently no workarounds, and customers must install fixed releases to fully remediate the issue. Cisco Secure Workload 3.10 is fixed in version 3.10.8.3, while 4.0 is fixed in 4.0.3.17. Customers running version 3.9 or earlier are being told to migrate to a supported fixed release. Cisco added that its cloud-hosted SaaS deployments have already been patched and require no customer action.

Cisco said it is not aware of active exploitation and that the flaw was discovered during internal security testing, though vulnerabilities carrying a 10.0 score and requiring no authentication rarely stay quiet for long.

The bug lands less than a week after Cisco disclosed another maximum severity flaw affecting SD-WAN systems that could allow attackers to grant themselves administrator privileges, continuing what is becoming an increasingly awkward run of top-scoring Cisco security advisories.

The company has spent much of the past year disclosing one 9.8-plus infrastructure flaw after another across products spanning firewalls, management platforms, identity systems, and enterprise networking gear. At this point, Cisco seems to be treating 10.0 CVSS scores as a recurring feature rather than a special occasion. ®

Source: www.theregister.com…

Related Articles
We will be happy to hear your thoughts

Leave a reply

About Forlifedeals

Forlifedeals is a comprehensive source of independent reviews of the most recent SaaS (Software as a Service) tools and platforms. It is a great resource for businesses, marketers, and agencies, providing expert assessment of software solutions in various categories such as productivity, marketing, sales, and others.

🚀 Get First Access to SaaS Deals – Subscribe Now!

FOR LIFE DEALS
Logo
Register New Account
Compare items
  • Total (0)
Compare
0