CVE-2026-20161
Arbitrary File Overwrite via CLI in Cisco ThousandEyes Agent
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | thousandeyes_enterprise_agent | 1.234.0 |
| cisco | thousandeyes_enterprise_agent | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the CLI of Cisco ThousandEyes Enterprise Agent Linux Package installations. It allows an authenticated local attacker with low privileges to overwrite arbitrary files on the affected device's local file system.
The issue arises due to improper access controls on certain files. An attacker can exploit this by placing a symbolic link in a specific location on the local file system, which enables them to bypass file system permissions and overwrite files they should not have access to.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker with low privileges to overwrite arbitrary files on your device. This could lead to unauthorized modification of important files, potentially disrupting system operations or compromising system integrity.
Since the attacker can bypass file system permissions, they might alter configuration files or other critical data, which could be used to escalate privileges or cause denial of service conditions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker placing a symbolic link in a specific location on the local file system to overwrite arbitrary files. Detection would involve checking for unexpected or suspicious symbolic links in locations used by the Cisco ThousandEyes Enterprise Agent Linux Package.
However, no specific detection commands or tools are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Cisco ThousandEyes Enterprise Agent Linux Package to version 1.234.0 or later, where the vulnerability has been fixed.
There are no workarounds available, so applying the fixed software release is essential.
For ThousandEyes Enterprise virtual appliances running Ubuntu Linux, unattended upgrades are enabled by default, which helps ensure critical security fixes are automatically applied.
Customers can also contact Cisco Technical Assistance Center (TAC) for support and upgrade assistance.