Cisco Unified Communications Manager SSRF Exploitation Detected
Detects exploitation attempts of CVE-2026-20230, a Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager (CUCM). An unauthenticated remote attacker may craft malicious HTTP requests to the CUCM web interface to cause the server to initiate requests to arbitrary internal or external destinations, potentially enabling internal network reconnaissance, credential theft via metadata services, or pivoting to internal resources.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Cisco
- Product
- Unified Communications Manager
Weakness (CWE)
Timeline
- Disclosed
- June 25, 2026
References & Proof of Concept
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-cucm-ssrf-cXPnHcW.html
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20230
What is CVE-2026-20230 Cisco Unified Communications Manager SSRF Exploitation Detected?
Cisco Unified Communications Manager SSRF Exploitation Detected (CVE-2026-20230) maps to the Reconnaissance and Discovery and Lateral Movement tactics — the adversary is trying to gather information they can use to plan future operations in MITRE ATT&CK.
This page provides production-ready detection logic for Cisco Unified Communications Manager SSRF Exploitation Detected, covering the data sources and telemetry it touches: Cisco Unified Communications Manager, Cisco Firepower, Network Proxy Logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let cucm_ssrf_indicators = dynamic(["169.254.169.254", "metadata.google.internal", "100.100.100.200", "localhost", "127.0.0.1", "::1", "0.0.0.0"]);
let cucm_ssrf_paths = dynamic(["/ccmadmin/", "/cucm-uds/", "/ucmuser/", "/ccmuser/", "/cmplatform/"]);
CommonSecurityLog
| where TimeGenerated >= ago(24h)
| where DeviceVendor =~ "Cisco" or DeviceProduct has_any ("Unified Communications Manager", "CUCM", "Call Manager")
| where Activity has_any (cucm_ssrf_paths) or Message has_any (cucm_ssrf_paths)
| extend RequestURL = coalesce(RequestURL, Message)
| where RequestURL has_any (cucm_ssrf_indicators)
or (RequestURL matches regex @"(?i)(file://|dict://|gopher://|ftp://|ldap://)")
or (RequestURL matches regex @"(?i)/api/.*url=|/redirect.*=http|callback=http")
| extend SourceIP = SourceIP, DestinationIP = DestinationIP
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, Message, DeviceVendor, DeviceProduct, AdditionalExtensions
| order by TimeGenerated descDetects SSRF exploitation attempts against Cisco CUCM by identifying requests to CUCM web paths that contain internal/metadata service indicators or suspicious URI schemes in CommonSecurityLog events.
Data Sources
Required Tables
False Positives
- Legitimate administrative scripts that fetch internal URLs for health checks
- Vulnerability scanners or penetration testing tools performing authorized assessments
- Integration workflows that legitimately redirect through CUCM APIs to internal services
- Monitoring agents polling CUCM endpoints that resolve to RFC1918 addresses
Sigma rule & cross-platform mapping
The detection logic for Cisco Unified Communications Manager SSRF Exploitation Detected (CVE-2026-20230) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-20230
References (4)
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-cucm-ssrf-cXPnHcW.html
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20230
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSRF Probe via CUCM Admin Interface URL Parameter
Expected signal: HTTP GET request to /ccmadmin/ with redirectUrl parameter containing 169.254.169.254; subsequent outbound TCP connection from CUCM server to 169.254.169.254:80 if vulnerable
- Test 2SSRF via Gopher Protocol Scheme in CUCM API Parameter
Expected signal: HTTP GET to /cucm-uds/ endpoint with gopher:// scheme in callback parameter; potential TCP connection from CUCM server to 127.0.0.1:6379 if exploitable
- Test 3SSRF Internal Network Scan via CUCM Redirect Parameter
Expected signal: Multiple HTTP requests to /ccmuser/ with varying port numbers in src parameter containing RFC1918 addresses; timing differences in responses may reveal open ports on internal hosts if CUCM is vulnerable
Unlock Pro Content
Get the full detection package for CVE-2026-20230 including response playbook, investigation guide, and atomic red team tests.