CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Cisco ThousandEyes Enterprise Agent BrowserBot Command Injection Vulnerability

mediumCVE-2026-20206
A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed. This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user. To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests. As mentioned, Cisco has addressed this vulnerability in the ThousandEyes service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tebbot-cmdinj-wN3yQ5gn Security Impact Rating: Medium CVE: CVE-2026-20206

CSIRTS triage

What
A vulnerability in the BrowserBot component could allow an authenticated attacker to execute arbitrary commands.
Who is affected
Authenticated users of Cisco ThousandEyes SaaS.
Urgency
Remediation is medium urgency as exploitation requires valid user credentials but could lead to command execution.
Action
No customer action is needed as Cisco has addressed this vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch ThousandEyes Enterprise Agent

Get an email when a new ThousandEyes Enterprise Agent advisory drops — max one per day, one-click unsubscribe.

Details

Source
Cisco Security Advisories (INTL · vendor-psirt · site)
Severity
medium
Published
2026-05-20
Exploitation
Not in CISA KEV at last sync

Original advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tebbot-cmdinj-wN3yQ5gn?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Cisco%20ThousandEyes%20Enterprise%20Agent%20BrowserBot%20Command%20Injection%20Vulnerability%26vs_k=1

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-20206coverage & exploitation statusNVD · CVE.org

Recent advisories for Cisco ThousandEyes Enterprise

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from Cisco Security Advisories