Cisco ThousandEyes Enterprise Agent BrowserBot Command Injection Vulnerability
A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed. This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user. To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests. As mentioned, Cisco has addressed this vulnerability in the ThousandEyes service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tebbot-cmdinj-wN3yQ5gn Security Impact Rating: Medium CVE: CVE-2026-20206
CSIRTS triage
- What
- A vulnerability in the BrowserBot component could allow an authenticated attacker to execute arbitrary commands.
- Who is affected
- Authenticated users of Cisco ThousandEyes SaaS.
- Urgency
- Remediation is medium urgency as exploitation requires valid user credentials but could lead to command execution.
- Action
- No customer action is needed as Cisco has addressed this vulnerability.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch ThousandEyes Enterprise Agent
Get an email when a new ThousandEyes Enterprise Agent advisory drops — max one per day, one-click unsubscribe.
Details
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-202060.42% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 34% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-20206 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Cisco ThousandEyes Enterprise
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCisco ThousandEyes Enterprise Agent Arbitrary File Overwrite Vulnerabilitycisco-psirt · 2026-04-15
More from Cisco Security Advisories
- unknownCisco Advance Notification for Publication of July 15, 2026, Security Advisories2026-07-08
- criticalCisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities2026-07-06
- highCisco Catalyst Center Arbitrary File Read Vulnerability2026-07-06
- highClamAV Vulnerabilities Affecting Cisco Products: July 20262026-07-02
- highCisco Advance Notification for Publication of July 1, 2026, Security Advisories2026-07-01