MEDIUMCVE-2026-20161CVSS 5.5

CVE-2026-20161: Arbitrary File Access in Cisco ThousandEyes

Platform

cisco

Component

thousandeyes-enterprise-agent

Fixed in

5.0.1

4.4.5

4.4.4

4.4.3

4.2.1

4.1.1

4.0.1

5.1.1

5.1.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-20161 describes an arbitrary file access vulnerability within the Command Line Interface (CLI) of Cisco ThousandEyes Enterprise Agent. This flaw allows an authenticated, local attacker with low privileges to overwrite files on the affected device, potentially leading to system compromise or data corruption. The vulnerability impacts versions 4.0 through 5.1.2 and a fix is expected to be released by Cisco.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-20161 allows a local attacker to bypass file system permissions and overwrite arbitrary files on the affected Cisco ThousandEyes Enterprise Agent. This could involve modifying critical system files, injecting malicious code, or disrupting normal operations. The attacker needs to be authenticated and present on the device, but low privileges are sufficient. The potential impact ranges from denial of service to complete system takeover, depending on the files overwritten and the attacker's subsequent actions. While the vulnerability requires local access, the widespread deployment of ThousandEyes agents across networks increases the potential attack surface.

Exploitation Context

CVE-2026-20161 was publicly disclosed on April 15, 2026. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the requirement for local authentication suggests a medium probability of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

Reports1 threat report

EPSS

0.01% (2% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentthousandeyes-enterprise-agent

VendorCisco

Affected rangeFixed in

Agent 5.0 – Agent 5.05.0.1

Agent 4.4.4 – Agent 4.4.44.4.5

Agent 4.4.3 – Agent 4.4.34.4.4

Agent 4.4.2 – Agent 4.4.24.4.3

Agent 4.2 – Agent 4.24.2.1

Agent 4.1 – Agent 4.14.1.1

Agent 4.0 – Agent 4.04.0.1

Agent 5.1 – Agent 5.15.1.1

Agent 5.1.2 – Agent 5.1.25.1.3

Weakness Classification (CWE)

CWE-59

Timeline

Reserved2025-10-08
Published2026-04-15
EPSS updated2026-04-23

Unpatched — 39 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-20161 is to upgrade to a patched version of Cisco ThousandEyes Enterprise Agent as soon as it becomes available. Until a patch is applied, consider restricting access to the CLI and implementing strict file system permissions. Monitoring file system integrity for unexpected modifications is also recommended. While a direct workaround is not available, careful access control and regular security audits can reduce the risk. After upgrading, verify the fix by attempting to create a symbolic link in the vulnerable location and confirming that the file overwrite is prevented.

How to fix

Cisco recommends updating to a corrected version of the ThousandEyes Enterprise agent. See the Cisco advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-agentfilewrite-tqUw3SMU) for more details on affected versions and available corrected versions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-20161 — Arbitrary File Access in Cisco ThousandEyes?

CVE-2026-20161 is a medium-severity vulnerability in Cisco ThousandEyes Enterprise Agent versions 4.0 through 5.1.2 that allows an authenticated, local attacker to overwrite arbitrary files.

Am I affected by CVE-2026-20161 in Cisco ThousandEyes?

If you are running Cisco ThousandEyes Enterprise Agent versions 4.0 through 5.1.2, you are potentially affected by this vulnerability. Check your deployed versions against the affected range.

How do I fix CVE-2026-20161 in Cisco ThousandEyes?

The recommended fix is to upgrade to a patched version of Cisco ThousandEyes Enterprise Agent as soon as it becomes available. Monitor Cisco's security advisories for updates.

Is CVE-2026-20161 being actively exploited?

As of April 15, 2026, there are no known public exploits or active campaigns targeting CVE-2026-20161.

Where can I find the official Cisco advisory for CVE-2026-20161?

Refer to the official Cisco Security Advisory for CVE-2026-20161 on the Cisco website (search for CVE-2026-20161 on Cisco.com).

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Local — attacker needs a local shell or interactive session on the system.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: None — no availability impact. Service remains fully operational.