CVE-2026-20045: Cisco Unified Communications Manager Code Injection
Detects exploitation attempts targeting CVE-2026-20045, a code injection vulnerability (CWE-94) in Cisco Unified Communications Manager. This KEV-listed vulnerability allows remote attackers to inject and execute arbitrary code. Detection focuses on anomalous process execution, unexpected web shell activity, and suspicious outbound connections originating from CUCM processes.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Cisco
- Product
- Unified Communications Manager
Weakness (CWE)
Timeline
- Disclosed
- January 21, 2026
CVSS
What is CVE-2026-20045 CVE-2026-20045: Cisco Unified Communications Manager Code Injection?
CVE-2026-20045: Cisco Unified Communications Manager Code Injection (CVE-2026-20045) maps to the Initial Access and Execution and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-20045: Cisco Unified Communications Manager Code Injection, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, CommonSecurityLog, Syslog, DeviceProcessEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let CUCMHosts = dynamic(["cucm", "callmanager", "ucm"]);
let SuspiciousPatterns = dynamic(["cmd.exe", "powershell", "bash", "sh", "/bin/sh", "wget", "curl", "python", "perl"]);
union DeviceEvents, DeviceProcessEvents, CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceName has_any (CUCMHosts) or DestinationHostName has_any (CUCMHosts) or Computer has_any (CUCMHosts)
| where (EventType == "ProcessCreated" and (ProcessCommandLine has_any (SuspiciousPatterns) or InitiatingProcessFileName in~ ("java", "tomcat")))
or (Activity has "POST" and RequestURL has_any ("/ccmadmin", "/ccmservice", "/cucm-uds") and RequestBodyLength > 500)
or (SourceIP !in ("127.0.0.1", "::1") and Activity has "200" and RequestURL has_any ("/axl/", "/realtimeservice2"))
| extend RiskScore = case(
ProcessCommandLine has_any ("wget", "curl") and ProcessCommandLine has "http", 90,
ProcessCommandLine has_any ("bash", "sh") and InitiatingProcessFileName has "java", 85,
RequestBodyLength > 5000, 70,
50)
| where RiskScore >= 50
| project TimeGenerated, Computer, DeviceName, ProcessCommandLine, InitiatingProcessFileName, RequestURL, SourceIP, DestinationIP, RiskScore
| sort by RiskScore descDetects suspicious process spawning from Cisco UCM Java/Tomcat processes and anomalous HTTP POST activity to administrative endpoints indicative of CVE-2026-20045 exploitation.
Data Sources
Required Tables
False Positives
- Legitimate administrative scripts executed via CUCM automation frameworks
- Authorized penetration testing against CUCM infrastructure
- Large SOAP/AXL API payloads from legitimate UCM integrations such as ITSM platforms
- Scheduled maintenance jobs spawning shell processes under service accounts
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-20045: Cisco Unified Communications Manager Code Injection (CVE-2026-20045) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-20045
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-20045 Code Injection via AXL SOAP Endpoint
Expected signal: Tomcat access log entry showing POST to /axl/ with HTTP 200 or 500; if successful, process audit log showing command substitution execution under Tomcat user; /tmp/rce_test.txt created on CUCM host
- Test 2Simulate Java Spawning Reverse Shell on CUCM OS
Expected signal: ProcessRollup2 event (CrowdStrike) or DeviceProcessEvents (MDE) showing bash or java process with parent java; network connection to ATTACKER_IP:4444 if reverse shell variant used
- Test 3Web Shell Deployment Simulation on CUCM Tomcat
Expected signal: File creation event for .jsp file in /opt/cisco/platform/ui/; if Tomcat is running, subsequent HTTP GET requests to the new JSP path; audit log showing file write under test user account
- Test 4AXL Credential Brute-Force Reconnaissance
Expected signal: Multiple HTTP 401/403 responses from CUCM to the source IP in rapid succession; authentication failure events in CUCM security logs; CommonSecurityLog or Syslog entries showing repeated failed logins
Unlock Pro Content
Get the full detection package for CVE-2026-20045 including response playbook, investigation guide, and atomic red team tests.