← All articles

Cisco patches CVSS 10.0 Secure Workload flaw (CVE-2026-20223): unauthenticated REST API access grants Site Admin across tenants

Cisco has patched a maximum-severity flaw, CVE-2026-20223, in the internal REST APIs of Cisco Secure Workload (formerly Tetration), the zero-trust microsegmentation platform used to stop lateral movement in enterprise environments. Insufficient authentication on the affected endpoints lets an unauthenticated remote attacker craft a request that returns sensitive data and modifies configuration with Site Admin privileges across tenant boundaries. Cisco's PSIRT says there is no evidence of in-the-wild exploitation yet and no workaround exists. The on-prem fixed releases are 3.10.8.3 and 4.0.3.17; the SaaS deployment has already been patched. Sites running 3.9 or earlier must migrate to a fixed release.

Check
Inventory Cisco Secure Workload (Tetration) on-prem deployments and their version. Check whether SaaS is in use (already auto-patched). Review API access logs for unauthenticated calls succeeding.
Affected
Cisco Secure Workload 3.10.x before 3.10.8.3, 4.0.x before 4.0.3.17, and any 3.9 or earlier release. SaaS deployment already fixed by Cisco. No workaround available.
Fix
Upgrade on-prem to 3.10.8.3 or 4.0.3.17. Sites on 3.9 or earlier must migrate to a fixed release. No workaround - patching is the only option.