CVE-2026-20161
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-agentfilewrite-tqUw3SMU Security Impact Rating: Medium CVE: CVE-2026-20161
CSIRTS triage
- What
- A vulnerability in the CLI could allow an authenticated, local attacker to overwrite arbitrary files.
- Who is affected
- Authenticated local users with low privileges on affected devices.
- Urgency
- Remediation is necessary as it allows file system permission bypass.
- Action
- Update to the latest software version.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-20161
Get an email if CVE-2026-20161 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.13% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 3% of all EPSS-scored CVEs.
Advisory coverage (1)
- mediumCisco ThousandEyes Enterprise Agent Arbitrary File Overwrite Vulnerabilitycisco-psirt · 2026-04-15
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-20161)