{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20161", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.388Z", "datePublished": "2026-04-15T16:03:43.769Z", "dateUpdated": "2026-04-15T16:56:35.191Z"}, "containers": {"cna": {"title": "Cisco ThousandEyes Enterprise Agent Arbitrary File Overwrite Vulnerability", "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}}], "descriptions": [{"lang": "en", "value": "A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device.\r\n\r\nThis vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device."}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-agentfilewrite-tqUw3SMU", "name": "cisco-sa-te-agentfilewrite-tqUw3SMU"}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "source": {"advisory": "cisco-sa-te-agentfilewrite-tqUw3SMU", "discovery": "INTERNAL", "defects": ["CSCwt14485"]}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Link Resolution Before File Access ('Link Following')", "type": "cwe", "cweId": "CWE-59"}]}], "affected": [{"vendor": "Cisco", "product": "Cisco ThousandEyes Enterprise Agent", "versions": [{"version": "Agent 5.0", "status": "affected"}, {"version": "Agent 4.4.4", "status": "affected"}, {"version": "Agent 4.4.3", "status": "affected"}, {"version": "Agent 4.4.2", "status": "affected"}, {"version": "Agent 4.2", "status": "affected"}, {"version": "Agent 4.1", "status": "affected"}, {"version": "Agent 4.0", "status": "affected"}, {"version": "Agent 5.1", "status": "affected"}, {"version": "Agent 5.1.2", "status": "affected"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T16:03:43.769Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20161", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T16:54:35.119090Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:56:35.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20161", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T16:54:35.119090Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:56:26.618Z"}}], "cna": {"title": "Cisco ThousandEyes Enterprise Agent Arbitrary File Overwrite Vulnerability", "source": {"defects": ["CSCwt14485"], "advisory": "cisco-sa-te-agentfilewrite-tqUw3SMU", "discovery": "INTERNAL"}, "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Cisco", "product": "Cisco ThousandEyes Enterprise Agent", "versions": [{"status": "affected", "version": "Agent 5.0"}, {"status": "affected", "version": "Agent 4.4.4"}, {"status": "affected", "version": "Agent 4.4.3"}, {"status": "affected", "version": "Agent 4.4.2"}, {"status": "affected", "version": "Agent 4.2"}, {"status": "affected", "version": "Agent 4.1"}, {"status": "affected", "version": "Agent 4.0"}, {"status": "affected", "version": "Agent 5.1"}, {"status": "affected", "version": "Agent 5.1.2"}], "defaultStatus": "unknown"}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-agentfilewrite-tqUw3SMU", "name": "cisco-sa-te-agentfilewrite-tqUw3SMU"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device.\r\n\r\nThis vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-59", "description": "Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T16:03:43.769Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20161", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:56:35.191Z", "dateReserved": "2025-10-08T11:59:15.388Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-04-15T16:03:43.769Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device.\r\n\r\nThis vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device."}], "id": "CVE-2026-20161", "lastModified": "2026-04-15T17:17:03.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "psirt@cisco.com", "type": "Primary"}]}, "published": "2026-04-15T17:17:03.120", "references": [{"source": "psirt@cisco.com", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-agentfilewrite-tqUw3SMU"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "psirt@cisco.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 5.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 4.4.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 4.4.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 4.4.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 4.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 4.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 4.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 5.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Agent 5.1.2"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "Cisco ThousandEyes Enterprise Agent", "source": "cna", "vendor": "Cisco"}, "product": "thousandeyes_enterprise_agent", "vendor": "cisco"}], "created": "2026-04-15T21:00:09.464027+00:00", "updated": "2026-04-15T21:00:09.464075+00:00", "vendors": ["cisco", "cisco$PRODUCT$thousandeyes_enterprise_agent"]}