Cisco Umbrella VA
CVE-2026-20246
MEDIUM
Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Requires local CLI access and vmadmin credentials (AV:L, PR:H); root escalation yields full C and I impact with no availability disruption described.
Primary rating from Vendor (cisco).
CVSS VectorVendor: cisco
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in the vmadmin CLI of Cisco Umbrella Virtual Appliance could allow an authenticated, local attacker to elevate privileges on an affected device.
This vulnerability is due to insufficient validation of user-supplied commands. An attacker with vmadmin privileges could exploit this vulnerability by using certain commands at the CLI. A successful exploit could allow the attacker to elevate privileges to root.
AnalysisAI
Privilege escalation in the Cisco Umbrella Virtual Appliance vmadmin CLI enables an authenticated local attacker holding vmadmin-level credentials to elevate access to root on the affected device. The flaw, classified as CWE-269 (Improper Privilege Management), arises because the vmadmin CLI does not adequately validate or restrict specific commands that can be leveraged as a privilege escalation path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) local or authenticated SSH/console access to the Cisco Umbrella Virtual Appliance; and (2) pre-existing vmadmin-level credentials or an active vmadmin session - confirmed by CVSS PR:H, which denotes high privileges as a mandatory prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS 3.1 score of 6.0 Medium with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N accurately characterizes the constrained threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained vmadmin credentials - through insider access, credential theft from a management workstation, or reuse of a compromised account - authenticates to the Cisco Umbrella Virtual Appliance CLI. By issuing specific commands that the vmadmin CLI fails to adequately restrict or sanitize, the attacker bypasses the privilege boundary and achieves root-level OS access on the appliance. … |
| Remediation | The primary remediation is to apply the update detailed in Cisco Security Advisory cisco-sa-umbrella-priv-esc-F4wJB7AU, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-priv-esc-F4wJB7AU - exact fixed version numbers are not confirmed in available intelligence and must be retrieved directly from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today