CVE-2026-20161
Received Received - Intake
Arbitrary File Overwrite via CLI in Cisco ThousandEyes Agent

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20161
EUVD
EUVD-2026-22965
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisco thousandeyes_enterprise_agent 1.234.0
cisco thousandeyes_enterprise_agent *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the CLI of Cisco ThousandEyes Enterprise Agent Linux Package installations. It allows an authenticated local attacker with low privileges to overwrite arbitrary files on the affected device's local file system.

The issue arises due to improper access controls on certain files. An attacker can exploit this by placing a symbolic link in a specific location on the local file system, which enables them to bypass file system permissions and overwrite files they should not have access to.

Impact Analysis

If exploited, this vulnerability could allow an attacker with low privileges to overwrite arbitrary files on your device. This could lead to unauthorized modification of important files, potentially disrupting system operations or compromising system integrity.

Since the attacker can bypass file system permissions, they might alter configuration files or other critical data, which could be used to escalate privileges or cause denial of service conditions.

Detection Guidance

This vulnerability involves an attacker placing a symbolic link in a specific location on the local file system to overwrite arbitrary files. Detection would involve checking for unexpected or suspicious symbolic links in locations used by the Cisco ThousandEyes Enterprise Agent Linux Package.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

The primary mitigation step is to upgrade the Cisco ThousandEyes Enterprise Agent Linux Package to version 1.234.0 or later, where the vulnerability has been fixed.

There are no workarounds available, so applying the fixed software release is essential.

For ThousandEyes Enterprise virtual appliances running Ubuntu Linux, unattended upgrades are enabled by default, which helps ensure critical security fixes are automatically applied.

Customers can also contact Cisco Technical Assistance Center (TAC) for support and upgrade assistance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20161. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart