Description
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device.

This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.
Published: 2026-04-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Overwrite
Action: Apply Patch
AI Analysis

Impact

Cisco ThousandEyes Enterprise Agent exposes a command‑line interface that permits a local user with low privileges to overwrite arbitrary files on the device. The flaw arises from improper access controls on the local file system; by placing a symbolic link in a specific location and invoking the write operation through the CLI, an attacker can bypass file system permissions and replace target files, enabling modification or destruction of critical configuration or executable files.

Affected Systems

Cisco ThousandEyes Enterprise Agent. All released versions are affected unless the vendor explicitly notes otherwise; no specific vulnerable versions are listed in the advisory, so any installed agent may be impacted.

Risk and Exploitability

The CVSS v3 score of 5.5 indicates moderate severity. Exploitation requires local, authenticated access to the device and the ability to run the agent’s CLI as a low‑privileged user. By creating a symbolic link pointing to an arbitrary path and triggering the vulnerable write command, the attacker can overwrite files on the local system. The advisory does not mention any public exploitation attempts, and the vulnerability is not listed in the CISA catalog of known exploited vulnerabilities. The EPSS metric is not available.

Generated by OpenCVE AI on April 16, 2026 at 09:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cisco ThousandEyes Enterprise Agent to the latest release that contains the file‑write protection patch.
  • Restrict local command‑line access to the agent for low‑privileged users or disable the vulnerable CLI operation entirely.
  • Audit file permissions on critical directories to ensure that non‑privileged users cannot create symbolic links or write to protected files; adjust ownership or mode where necessary.

Generated by OpenCVE AI on April 16, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco thousandeyes Enterprise Agent
Vendors & Products Cisco
Cisco thousandeyes Enterprise Agent

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system&nbsp;of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.
Title Cisco ThousandEyes Enterprise Agent Arbitrary File Overwrite Vulnerability
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Cisco Thousandeyes Enterprise Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-15T16:56:35.191Z

Reserved: 2025-10-08T11:59:15.388Z

Link: CVE-2026-20161

cve-icon Vulnrichment

Updated: 2026-04-15T16:56:26.618Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:03.120

Modified: 2026-04-15T17:17:03.120

Link: CVE-2026-20161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses