CVE-2026-20199
Awaiting Analysis Awaiting Analysis - Queue
Authenticated Command Execution in Cisco ThousandEyes Virtual Appliance

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user. This vulnerability is due to insufficient validation of user-supplied input. An authenticated attacker could exploit this vulnerability by uploading a crafted certificate to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-20199
EUVD
EUVD-2026-31137
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cisco thousandeyes_virtual_appliance to 0.262|start_including=0.262.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the SSL certificate handling of the Cisco ThousandEyes Virtual Appliance. It is caused by insufficient validation of user-supplied input when processing SSL certificates.

An authenticated attacker with valid administrative credentials can exploit this flaw by uploading a specially crafted certificate to the affected device.

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root user privileges.

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code as the root user on the underlying operating system of the Cisco ThousandEyes Virtual Appliance.

This means the attacker could gain full control over the affected system, potentially leading to data compromise, disruption of services, or further attacks within the network.

The vulnerability has a medium severity level with a CVSS base score of 4.7.

Mitigation Strategies

To mitigate this vulnerability, customers are strongly advised to upgrade to the fixed software versions of Cisco ThousandEyes Virtual Appliance.

  • Upgrade to version 0.262.0 or later, as this is the first fixed release.

No workarounds are available, so applying the software update is the only effective mitigation.

Compliance Impact

This vulnerability allows an authenticated attacker to execute arbitrary code as the root user on the underlying operating system by exploiting insufficient validation of user-supplied input in SSL certificate handling.

Such unauthorized root-level access could potentially lead to unauthorized data access or system compromise, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and system integrity.

However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory implications.

Detection Guidance

There are no specific detection commands or network indicators provided for this vulnerability.

Detection primarily involves verifying the software version of the Cisco ThousandEyes Virtual Appliance to determine if it is earlier than 0.262, which is vulnerable.

Since exploitation requires valid administrative credentials and uploading a crafted SSL certificate, monitoring for unusual certificate uploads or administrative activity may help in detection.

Cisco recommends upgrading to version 0.262.0 or later to remediate the vulnerability, as no workarounds are available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart