Cisco Secure Workload RCE via CVE-2025-20165 — Mitigation Guide

Cisco has released critical security updates to address a severe CVE affecting its Secure Workload platform, formerly known as Tetration. According to SecurityWeek, the most significant flaw could allow a remote, unauthenticated attacker to gain “Site Admin” privileges. This level of access grants the adversary full control over the platform, effectively bypassing intended security boundaries.

Overview of the Cisco Secure Workload API Flaw

The primary vulnerability, tracked as CVE-2025-20165, has been assigned a CVSS base score of 9.8, categorizing it as critical. The issue resides in the REST APIs of Cisco Secure Workload. Due to insufficient validation and authentication mechanisms, an attacker could send a crafted request to the API and elevate their status to a Site Admin without providing valid credentials.

This flaw is particularly dangerous for multi-tenant deployments. In such environments, the acquisition of Site Admin privileges could lead to unauthorized access across different tenant segments, facilitating Lateral Movement and extensive data exposure. While the vendor has not observed active exploitation in the wild, the technical severity and the lack of required authentication make this a high-priority target for threat actors.

Technical Analysis of CVE-2025-20165

The vulnerability stems from how the Secure Workload software processes incoming API calls. In impacted versions, the validation logic fails to properly verify the identity or authorization level of the requester before processing commands that require high-level administrative permissions. Because the REST APIs are often exposed to facilitate integration with other networking and security tools, an attacker with network reachability can exploit this weakness directly.

While this is not a traditional RCE where an attacker executes arbitrary code on the underlying operating system, the result is practically identical in terms of impact. A Site Admin can modify security policies, view sensitive telemetry, and disable monitoring, which effectively blinds the SOC to ongoing malicious activity.

How to detect CVE-2025-20165 exploit attempts

Defenders should monitor their SIEM logs for unusual patterns in API traffic. Specifically, security teams should look for REST API requests originating from unexpected IP addresses that target administrative endpoints. High-frequency requests to /api/v1/users or other identity-related endpoints without associated legitimate session tokens may indicate an attempt to exploit this flaw. Integrating these logs into existing EDR and network monitoring workflows is essential for visibility.

Additional Security Considerations

In addition to the critical flaw, Cisco also patched CVE-2025-20168. This vulnerability is of medium severity with a CVSS score of 5.3. It involves insufficient access control that could allow an authenticated attacker to perform information disclosure. While less severe than the administrative bypass, it highlights a broader need for robust API security and Zero Trust architectures when managing infrastructure-level software.

Remediation and Recommendations

Cisco has confirmed that no workarounds are available for these vulnerabilities. The only effective mitigation is a software update. The following Cisco Secure Workload 3.9 patch guidance and 3.8 version recommendations apply:

• For Release 3.8: Organizations should migrate to software version 3.8.1.185 or later.
• For Release 3.9: Organizations should migrate to software version 3.9.1.135 or later.

Security professionals should prioritize these updates immediately, especially if their Secure Workload instances are accessible from broader internal networks or the public internet. Furthermore, ensure that all API access is restricted to known, authorized service accounts and monitored continuously for Privilege Escalation indicators.