Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable management interface (AV:N) with low complexity (AC:L) but requires valid admin credentials (PR:H); root code execution yields full C/I/A impact, scope unchanged.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user. This vulnerability is due to insufficient validation of user-supplied input. An authenticated attacker could exploit this vulnerability by uploading a crafted certificate to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials.
AnalysisAI
Command injection in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance lets an authenticated administrator upload a crafted certificate to execute arbitrary commands as root on the underlying operating system. The flaw stems from insufficient validation of user-supplied input (CWE-74) and carries a CVSS 7.2 (High) rating; the elevated impact comes from full root-level code execution despite the high-privilege precondition. No public exploit identified at time of analysis, and EPSS is very low at 0.04% (13th percentile), consistent with the CISA SSVC determination of no observed exploitation.
Technical ContextAI
Cisco ThousandEyes is a network and application performance/digital-experience monitoring platform; the affected component is the Virtual Appliance form factor (the CPE references the enterprise agent: cpe:2.3:a:cisco:cisco_thousandeyes_enterprise_agent). The vulnerability lives in the appliance's SSL/TLS certificate handling routine, which accepts an operator-supplied certificate during configuration. CWE-74 (Improper Neutralization of Special Elements - Injection) is the root-cause class: user-controlled certificate data is passed into a downstream OS-level operation without sufficient sanitization, allowing injected elements to be interpreted as commands. Because the certificate processing executes with root privileges, successful injection yields full root code execution rather than a confined process compromise.
RemediationAI
Apply the fixed software release identified in the Cisco Security Advisory cisco-sa-tevacert-rce-RMJVEym5 (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tevacert-rce-RMJVEym5); the provided data does not include an exact fix version, so consult that advisory for the precise patched release before upgrading. As compensating controls until patched, restrict and audit who holds administrative credentials on the appliance, since exploitation requires valid admin access - enforce strong unique passwords and MFA on the management interface, and limit network reachability of the appliance management/configuration plane to a trusted administrative network or jump host to reduce the AV:N exposure. Avoid uploading certificates from untrusted sources and monitor configuration-change and certificate-upload events for anomalies; the trade-off of tightening management-plane access is added operational friction for legitimate administrators but no functional loss to monitoring.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31137
GHSA-j82m-6356-v5pg