Thought Leadership
A critical vulnerability rated CVSS 10.0 is undermining tenant isolation in Cisco Secure Workload. Administrators are being urged to patch affected REST APIs immediately to prevent potential privilege escalation attacks.
The networking giant has fixed a severe security flaw in its Cisco Secure Workload platform that carries the maximum possible severity rating under the Common Vulnerability Scoring System (CVSS). Successful exploitation allows remote attackers to gain site administrator privileges, effectively granting broad access to protected enterprise environments.
The vulnerability poses a serious risk for organizations relying on Cisco Secure Workload to secure hybrid cloud infrastructures and modern data centers using zero-trust architectures. A successful compromise could expose sensitive resources, traffic flows, and system configurations across affected enterprise networks.
REST API Validation Failure at the Core
Tracked as CVE-2026-20223, the flaw received a CVSS score of 10.0 due to weaknesses in packet validation and authentication mechanisms within internal REST API endpoints.
These APIs handle automated communication and data exchange between backend software components and microservices. According to Cisco’s advisory, attackers can exploit the issue by sending specially crafted API requests to vulnerable endpoints. Because of insufficient internal validation, the platform incorrectly treats the malicious request as authorized and grants the attacker full site administrator permissions.
Cisco emphasized that the vulnerability only affects internal REST APIs. The platform’s browser-based graphical management interface is not impacted by this specific issue.
Tenant Isolation Can Be Fully Bypassed
The impact of a successful attack is considered severe. Once attackers obtain administrative privileges, they can access sensitive system information in clear text, steal confidential data, and modify global configurations and security policies.
Most critically, the flaw enables changes across tenant boundaries.
In multi-tenant enterprise environments, departments, business units, or separate customers are typically isolated on shared physical infrastructure. The vulnerability effectively removes these isolation barriers, allowing attackers to view and manipulate data belonging to tenants they should never have access to.
Cisco confirmed that the issue affects Cisco Secure Workload Cluster software in both SaaS deployments and on-premises installations. According to the company, the risk exists regardless of specific device configurations.
Security Updates Now Available
Cisco has released software updates to address the vulnerability. The flaw is fully patched in Cisco Secure Workload versions 3.10.8.3 and 4.0.3.17.
The company stated on Wednesday that it had not observed evidence of active exploitation at the time the patches were released. However, because the attack vector and technical details are now publicly disclosed through the security advisory, organizations are strongly encouraged to deploy the updates immediately to reduce exposure.
Additional Patches for ThousandEyes and Nexus Switches
Alongside the Secure Workload vulnerability, Cisco also published fixes for three additional medium-severity flaws affecting other enterprise products, including ThousandEyes components and Nexus switches. The vulnerabilities impact the ThousandEyes Virtual Appliance, the ThousandEyes Enterprise Agent, and Nexus 3000 and Nexus 9000 series switches.
According to Cisco, the ThousandEyes flaws could allow attackers under certain conditions to execute remote commands with root-level privileges or privileged node-user access, potentially enabling full compromise of enterprise monitoring and analytics systems.
Meanwhile, the Nexus switch vulnerability affects the Border Gateway Protocol (BGP), the core routing protocol used across the internet and large enterprise networks. Attackers could trigger repeated BGP peer flaps, forcing routing sessions to repeatedly disconnect and reconnect. This behavior can overload network devices and ultimately cause denial-of-service conditions that disrupt legitimate traffic and make affected network segments unavailable.
Cisco said it currently has no evidence that any of these additional vulnerabilities are being actively exploited in the wild. Technical indicators and mitigation guidance are available through the company’s official security advisories.
