CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-20206

mediumcovered by 1 sourcefirst seen 2026-05-20
A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed. This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user. To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests. As mentioned, Cisco has addressed this vulnerability in the ThousandEyes service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tebbot-cmdinj-wN3yQ5gn Security Impact Rating: Medium CVE: CVE-2026-20206

CSIRTS triage

What
A vulnerability in the BrowserBot component could allow an authenticated attacker to execute arbitrary commands.
Who is affected
Authenticated users of Cisco ThousandEyes SaaS.
Urgency
Remediation is medium urgency as exploitation requires valid user credentials but could lead to command execution.
Action
No customer action is needed as Cisco has addressed this vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-20206

Get an email if CVE-2026-20206 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-20206

CVE.org record

Embed the live status

CVE-2026-20206 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-20206 status](https://www.csirts.com/badge/CVE-2026-20206)](https://www.csirts.com/cve/CVE-2026-20206)