Security Bulletin: Cisco Secure Workload Authentication Bypass Vulnerability

Written by RedLegg's Cyber Threat Intelligence Team | 5/21/26 4:50 PM

About:

CVE-2026-20223 is a critical authentication bypass vulnerability affecting Cisco Secure Workload.

The vulnerability is caused by missing authentication validation in internal REST API access handling. An unauthenticated remote attacker may exploit the flaw by sending crafted requests to affected Cisco Secure Workload instances.

Successful exploitation could allow attackers to gain Site Admin privileges without valid credentials and obtain unauthorized access to site resources, management functionality, and administrative operations.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Cisco Secure Workload Authentication Bypass Vulnerability

Identifier: CVE-2026-20223
PoC or Exploitation: There were no confirmed reports of active exploitation in the wild and no public proof-of-concept exploit code at this time.
CVSS Score: 10.0 (Critical, CVSS v3.1)

Update / Patch:

Cisco has released software updates addressing this vulnerability.

Affected versions include:

Cisco Secure Workload 3.9 and earlier
Cisco Secure Workload 3.10 prior to 3.10.8.3
Cisco Secure Workload 4.0 prior to 4.0.3.17

Fixed versions include:

Cisco Secure Workload 3.9 and earlier (Migrate to a supported fixed release)
Cisco Secure Workload 3.10 (Fixed in version 3.10.8.3)
Cisco Secure Workload 4.0 (Fixed in version 4.0.3.17)

Cisco advisory and patch guidance:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy

Description:

CVE-2026-20223 is an authentication bypass vulnerability affecting Cisco Secure Workload.

The vulnerability is caused by missing authentication validation in internal REST API access handling. An unauthenticated remote attacker may exploit the vulnerability by sending crafted requests to affected Cisco Secure Workload instances.

Successful exploitation could allow attackers to gain Site Admin privileges without valid credentials and obtain access to site resources and management functionality.

Mitigation Recommendation:

Immediately identify Cisco Secure Workload deployments and determine installed software versions.

Migrate Cisco Secure Workload 3.9 and earlier deployments to supported fixed releases because direct fixes are unavailable.

Restrict exposure of Cisco Secure Workload management interfaces to trusted administrative networks only.

Review administrative accounts, API activity, configuration changes, and Site Admin operations for indicators of unauthorized access.

Monitor authentication events, internal REST API requests, privileged actions, and configuration modifications for anomalous activity.

View full post