Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed.
This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user. To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests.
AnalysisAI
Command injection in the BrowserBot component of Cisco ThousandEyes Enterprise Agent (CWE-78) allows authenticated SaaS users with transaction test management privileges to execute arbitrary OS commands inside the BrowserBot container as the unprivileged 'node' user. Exploitation requires valid ThousandEyes SaaS credentials and the ability to manage transaction tests, scoping the realistic threat primarily to insiders and compromised privileged accounts. Cisco has already deployed a remediation server-side; no customer action is required. No public exploit code or CISA KEV listing exists at time of analysis.
Technical ContextAI
The BrowserBot is the synthetics orchestration subsystem within the Cisco ThousandEyes Enterprise Agent responsible for executing browser-based transaction tests. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates that user-controlled input - specifically command arguments supplied through the ThousandEyes SaaS transaction test configuration interface - is passed to an underlying OS command without adequate sanitization or escaping. This is a classic argument injection pattern where the application constructs an OS command string incorporating untrusted input. Execution is scoped to the BrowserBot container environment running as the 'node' user, which is an unprivileged identity. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L reflects network reachability via the SaaS control plane, low authentication (a valid SaaS account with specific role), unchanged scope (container boundary not breached per available data), and low-to-moderate CIA impact. Affected CPE: cpe:2.3:a:cisco:cisco_thousandeyes_enterprise_agent across versions 4.0 through 5.1.3.
RemediationAI
Cisco has resolved this vulnerability through a server-side update to the ThousandEyes SaaS platform; the advisory explicitly states no customer action is required. Organizations should verify their ThousandEyes deployments by consulting the Cisco advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tebbot-cmdinj-wN3yQ5gn. An exact discrete patched version number is not independently confirmed from the available advisory data - Cisco's SaaS-managed remediation model means the fix is delivered centrally rather than as a customer-applied agent upgrade. As defense-in-depth measures, organizations should audit ThousandEyes SaaS user accounts and strictly enforce least-privilege access to the 'manage transaction tests' role, revoking it from any accounts that do not require it. Monitoring BrowserBot container activity for anomalous OS process spawning (e.g., shell processes initiated by the node user outside expected test execution patterns) can serve as a detection control. Note that restricting the transaction test management role may impact legitimate network synthetics workflows and should be evaluated against operational requirements.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31136
GHSA-rpgf-jpf7-q7f5