CVE-2026-20045 Elastic Security · Elastic

Detect CVE-2026-20045: Cisco Unified Communications Manager Code Injection in Elastic Security

Detects exploitation attempts targeting CVE-2026-20045, a code injection vulnerability (CWE-94) in Cisco Unified Communications Manager. This KEV-listed vulnerability allows remote attackers to inject and execute arbitrary code. Detection focuses on anomalous process execution, unexpected web shell activity, and suspicious outbound connections originating from CUCM processes.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start"
   and process.parent.name in ("java", "catalina.sh", "tomcat")
   and process.name in ("sh", "bash", "python", "python3", "perl", "wget", "curl", "nc")]
  [any where
   (event.category == "network" and network.direction == "egress" and
    not destination.ip in ("127.0.0.1", "::1") and destination.port in (80, 443, 4444, 8080, 8443, 9001))
   or
   (event.category == "file" and file.path like~ "/opt/cisco/*" and event.action in ("creation", "overwrite"))]
critical severity high confidence

EQL sequence rule detecting the pattern of Java/Tomcat process spawning a shell followed by suspicious outbound network activity or file creation on Cisco UCM hosts, indicative of post-exploitation after CVE-2026-20045.

Data Sources

Elastic EndpointAuditdPacketbeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*logs-endpoint.events.file-*

False Positives & Tuning

  • CUCM backup scripts that use shell and make outbound connections to backup servers
  • Monitoring agents spawned under the Tomcat service account
  • Legitimate software updates that write to /opt/cisco paths

Other platforms for CVE-2026-20045

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-20045 Code Injection via AXL SOAP Endpoint

    Expected signal: Tomcat access log entry showing POST to /axl/ with HTTP 200 or 500; if successful, process audit log showing command substitution execution under Tomcat user; /tmp/rce_test.txt created on CUCM host

  2. Test 2Simulate Java Spawning Reverse Shell on CUCM OS

    Expected signal: ProcessRollup2 event (CrowdStrike) or DeviceProcessEvents (MDE) showing bash or java process with parent java; network connection to ATTACKER_IP:4444 if reverse shell variant used

  3. Test 3Web Shell Deployment Simulation on CUCM Tomcat

    Expected signal: File creation event for .jsp file in /opt/cisco/platform/ui/; if Tomcat is running, subsequent HTTP GET requests to the new JSP path; audit log showing file write under test user account

  4. Test 4AXL Credential Brute-Force Reconnaissance

    Expected signal: Multiple HTTP 401/403 responses from CUCM to the source IP in rapid succession; authentication failure events in CUCM security logs; CommonSecurityLog or Syslog entries showing repeated failed logins

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-20045 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1505.003Web ShellT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections