Skip to main content

Cisco Umbrella VA CVE-2026-20246

MEDIUM
Improper Privilege Management (CWE-269)
2026-06-17 cisco
6.0
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
6.0 MEDIUM

Requires local CLI access and vmadmin credentials (AV:L, PR:H); root escalation yields full C and I impact with no availability disruption described.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 16:59 vuln.today
CVE Published
Jun 17, 2026 - 16:17 cve.org
MEDIUM 6.0

DescriptionCVE.org

A vulnerability in the vmadmin CLI of Cisco Umbrella Virtual Appliance could allow an authenticated, local attacker to elevate privileges on an affected device.

This vulnerability is due to insufficient validation of user-supplied commands. An attacker with vmadmin privileges could exploit this vulnerability by using certain commands at the CLI. A successful exploit could allow the attacker to elevate privileges to root.

AnalysisAI

Privilege escalation in the Cisco Umbrella Virtual Appliance vmadmin CLI enables an authenticated local attacker holding vmadmin-level credentials to elevate access to root on the affected device. The flaw, classified as CWE-269 (Improper Privilege Management), arises because the vmadmin CLI does not adequately validate or restrict specific commands that can be leveraged as a privilege escalation path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Acquire vmadmin credentials
Delivery
Authenticate to appliance CLI (local or SSH)
Exploit
Issue specific CLI commands bypassing validation
Execution
Privilege boundary traversed
Impact
Achieve root access on appliance OS

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) local or authenticated SSH/console access to the Cisco Umbrella Virtual Appliance; and (2) pre-existing vmadmin-level credentials or an active vmadmin session - confirmed by CVSS PR:H, which denotes high privileges as a mandatory prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-provided CVSS 3.1 score of 6.0 Medium with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N accurately characterizes the constrained threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained vmadmin credentials - through insider access, credential theft from a management workstation, or reuse of a compromised account - authenticates to the Cisco Umbrella Virtual Appliance CLI. By issuing specific commands that the vmadmin CLI fails to adequately restrict or sanitize, the attacker bypasses the privilege boundary and achieves root-level OS access on the appliance. …
Remediation The primary remediation is to apply the update detailed in Cisco Security Advisory cisco-sa-umbrella-priv-esc-F4wJB7AU, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-priv-esc-F4wJB7AU - exact fixed version numbers are not confirmed in available intelligence and must be retrieved directly from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-20246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy