Description
A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed.

This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user.
To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests.
Published: 2026-05-20
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Cisco ThousandEyes Enterprise Agent’s BrowserBot component permitted an authenticated, remote attacker to inject unvalidated command arguments, leading to arbitrary command execution inside the BrowserBot container as the node user. This flaw, an instance of operating system command injection (CWE‑78), could compromise the confidentiality, integrity, and availability of the affected system by allowing attackers to run malicious commands with the privileges of the BrowserBot process.

Affected Systems

The vulnerability affects Cisco ThousandEyes Enterprise Agent, particularly the BrowserBot component used for synthesizing web transaction tests. All installations of the agent before the issued patch are potentially vulnerable; specific version details were not supplied in the advisory.

Risk and Exploitability

The problem carries a CVSS score of 6.3, indicating moderate severity, and has no recorded EPSS value or KEV listing. Exploitation requires valid ThousandEyes SaaS credentials with transaction‑test management rights, and the attack vector is remote, authenticated, via the SaaS interface. The risk is medium to high because an attacker who meets the prerequisites can execute arbitrary commands on the Agent host. Cisco has addressed this vulnerability, and no customer action is required.

Generated by OpenCVE AI on May 20, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure all agents are upgraded to the Cisco ThousandEyes Enterprise Agent version that contains the command injection fix, following Cisco's release notes and guidance.
  • Restrict the set of users who have permission to create or manage transaction tests, limiting the opportunity for an attacker to supply crafted input.
  • Keep monitoring for any new Cisco advisories or supplementary patches that address similar command‑execution concerns.

Generated by OpenCVE AI on May 20, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed. This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user. To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests.
Title Cisco ThousandEyes BrowserBot Command Injection Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-05-20T18:32:04.045Z

Reserved: 2025-10-08T11:59:15.397Z

Link: CVE-2026-20206

cve-icon Vulnrichment

Updated: 2026-05-20T18:32:00.275Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T17:16:20.243

Modified: 2026-05-20T17:30:40.450

Link: CVE-2026-20206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:00:14Z

Weaknesses