Skip to main content

Cisco ThousandEyes CVE-2026-20199

| EUVDEUVD-2026-31137 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-20 cisco GHSA-j82m-6356-v5pg
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable management interface (AV:N) with low complexity (AC:L) but requires valid admin credentials (PR:H); root code execution yields full C/I/A impact, scope unchanged.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 30, 2026 - 16:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 16:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 16:22 NVD
4.7 (MEDIUM) 7.2 (HIGH)
Analysis Generated
May 20, 2026 - 17:33 vuln.today

DescriptionNVD

A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user. This vulnerability is due to insufficient validation of user-supplied input. An authenticated attacker could exploit this vulnerability by uploading a crafted certificate to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials.

AnalysisAI

Command injection in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance lets an authenticated administrator upload a crafted certificate to execute arbitrary commands as root on the underlying operating system. The flaw stems from insufficient validation of user-supplied input (CWE-74) and carries a CVSS 7.2 (High) rating; the elevated impact comes from full root-level code execution despite the high-privilege precondition. No public exploit identified at time of analysis, and EPSS is very low at 0.04% (13th percentile), consistent with the CISA SSVC determination of no observed exploitation.

Technical ContextAI

Cisco ThousandEyes is a network and application performance/digital-experience monitoring platform; the affected component is the Virtual Appliance form factor (the CPE references the enterprise agent: cpe:2.3:a:cisco:cisco_thousandeyes_enterprise_agent). The vulnerability lives in the appliance's SSL/TLS certificate handling routine, which accepts an operator-supplied certificate during configuration. CWE-74 (Improper Neutralization of Special Elements - Injection) is the root-cause class: user-controlled certificate data is passed into a downstream OS-level operation without sufficient sanitization, allowing injected elements to be interpreted as commands. Because the certificate processing executes with root privileges, successful injection yields full root code execution rather than a confined process compromise.

RemediationAI

Apply the fixed software release identified in the Cisco Security Advisory cisco-sa-tevacert-rce-RMJVEym5 (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tevacert-rce-RMJVEym5); the provided data does not include an exact fix version, so consult that advisory for the precise patched release before upgrading. As compensating controls until patched, restrict and audit who holds administrative credentials on the appliance, since exploitation requires valid admin access - enforce strong unique passwords and MFA on the management interface, and limit network reachability of the appliance management/configuration plane to a trusted administrative network or jump host to reduce the AV:N exposure. Avoid uploading certificates from untrusted sources and monitor configuration-change and certificate-upload events for anomalies; the trade-off of tightening management-plane access is added operational friction for legitimate administrators but no functional loss to monitoring.

Share

CVE-2026-20199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy