CVE-2026-20199
Authenticated Command Execution in Cisco ThousandEyes Virtual Appliance
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | thousandeyes_virtual_appliance | to 0.262|start_including=0.262.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SSL certificate handling of the Cisco ThousandEyes Virtual Appliance. It is caused by insufficient validation of user-supplied input when processing SSL certificates.
An authenticated attacker with valid administrative credentials can exploit this flaw by uploading a specially crafted certificate to the affected device.
Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root user privileges.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code as the root user on the underlying operating system of the Cisco ThousandEyes Virtual Appliance.
This means the attacker could gain full control over the affected system, potentially leading to data compromise, disruption of services, or further attacks within the network.
The vulnerability has a medium severity level with a CVSS base score of 4.7.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, customers are strongly advised to upgrade to the fixed software versions of Cisco ThousandEyes Virtual Appliance.
- Upgrade to version 0.262.0 or later, as this is the first fixed release.
No workarounds are available, so applying the software update is the only effective mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute arbitrary code as the root user on the underlying operating system by exploiting insufficient validation of user-supplied input in SSL certificate handling.
Such unauthorized root-level access could potentially lead to unauthorized data access or system compromise, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and system integrity.
However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory implications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators provided for this vulnerability.
Detection primarily involves verifying the software version of the Cisco ThousandEyes Virtual Appliance to determine if it is earlier than 0.262, which is vulnerable.
Since exploitation requires valid administrative credentials and uploading a crafted SSL certificate, monitoring for unusual certificate uploads or administrative activity may help in detection.
Cisco recommends upgrading to version 0.262.0 or later to remediate the vulnerability, as no workarounds are available.