Detect CVE-2026-20045: Cisco Unified Communications Manager Code Injection in Splunk
Detects exploitation attempts targeting CVE-2026-20045, a code injection vulnerability (CWE-94) in Cisco Unified Communications Manager. This KEV-listed vulnerability allows remote attackers to inject and execute arbitrary code. Detection focuses on anomalous process execution, unexpected web shell activity, and suspicious outbound connections originating from CUCM processes.
MITRE ATT&CK
SPL Detection Query
index=* (sourcetype=cisco:ucm OR sourcetype=cisco:cucm OR sourcetype=syslog host=*cucm* OR host=*callmanager*)
| eval is_suspicious_proc=if(match(process, "(?i)(cmd\.exe|powershell|/bin/sh|/bin/bash|wget|curl|python|perl|nc |netcat)"), 1, 0)
| eval is_suspicious_http=if(match(uri, "(?i)(/ccmadmin|/ccmservice|/cucm-uds|/axl/|/realtimeservice2)") AND (method="POST" OR method="PUT"), 1, 0)
| eval is_java_spawn=if(match(parent_process, "(?i)(java|tomcat|catalina)") AND match(process, "(?i)(sh|bash|cmd|python|perl)"), 1, 0)
| where is_suspicious_proc=1 OR is_suspicious_http=1 OR is_java_spawn=1
| eval risk_score=case(
is_java_spawn=1 AND is_suspicious_proc=1, 95,
is_java_spawn=1, 80,
is_suspicious_proc=1, 70,
is_suspicious_http=1, 60,
true(), 50)
| eval alert_reason=case(
is_java_spawn=1, "Java/Tomcat spawned shell process - likely RCE",
is_suspicious_proc=1, "Suspicious process execution on CUCM host",
is_suspicious_http=1, "Anomalous POST to CUCM admin endpoint",
true(), "Unknown")
| where risk_score >= 60
| table _time, host, src_ip, dest_ip, uri, method, process, parent_process, user, risk_score, alert_reason
| sort - risk_scoreSplunk query detecting CVE-2026-20045 exploitation via suspicious process spawning from Cisco UCM Java processes and anomalous HTTP activity on administrative endpoints.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated deployment tools that execute shell commands via UCM APIs
- Legitimate bulk AXL API operations from call center platforms
- Security scanning tools targeting CUCM as part of authorized assessments
- UCM upgrade or patch procedures that invoke shell scripts
Other platforms for CVE-2026-20045
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-20045 Code Injection via AXL SOAP Endpoint
Expected signal: Tomcat access log entry showing POST to /axl/ with HTTP 200 or 500; if successful, process audit log showing command substitution execution under Tomcat user; /tmp/rce_test.txt created on CUCM host
- Test 2Simulate Java Spawning Reverse Shell on CUCM OS
Expected signal: ProcessRollup2 event (CrowdStrike) or DeviceProcessEvents (MDE) showing bash or java process with parent java; network connection to ATTACKER_IP:4444 if reverse shell variant used
- Test 3Web Shell Deployment Simulation on CUCM Tomcat
Expected signal: File creation event for .jsp file in /opt/cisco/platform/ui/; if Tomcat is running, subsequent HTTP GET requests to the new JSP path; audit log showing file write under test user account
- Test 4AXL Credential Brute-Force Reconnaissance
Expected signal: Multiple HTTP 401/403 responses from CUCM to the source IP in rapid succession; authentication failure events in CUCM security logs; CommonSecurityLog or Syslog entries showing repeated failed logins
Unlock Pro Content
Get the full detection package for CVE-2026-20045 including response playbook, investigation guide, and atomic red team tests.