CVE-2026-20230 Elastic Security · Elastic

Detect Cisco Unified Communications Manager SSRF Exploitation Detected in Elastic Security

Detects exploitation attempts of CVE-2026-20230, a Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager (CUCM). An unauthenticated remote attacker may craft malicious HTTP requests to the CUCM web interface to cause the server to initiate requests to arbitrary internal or external destinations, potentially enabling internal network reconnaissance, credential theft via metadata services, or pivoting to internal resources.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   destination.port in (80, 443, 8080, 8443) and
   url.path : ("/ccmadmin/*", "/cucm-uds/*", "/ucmuser/*", "/ccmuser/*", "/cmplatform/*") and
   (
     url.query : ("*169.254.169.254*", "*metadata.google.internal*", "*localhost*", "*127.0.0.1*", "*::1*", "*0.0.0.0*") or
     url.query : ("*file://*", "*dict://*", "*gopher://*", "*ldap://*") or
     url.full : ("*url=http*", "*redirect=http*", "*callback=http*")
   )
  ]
  [network where event.category == "network" and
   source.ip == destination.ip or
   destination.ip in ("169.254.169.254", "100.100.100.200") or
   cidr_match(destination.ip, "127.0.0.0/8", "::1/128", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
  ]
high severity medium confidence

Uses EQL sequence correlation to detect SSRF exploitation against CUCM: first event captures the inbound request with SSRF payload, second event captures the resulting outbound connection from CUCM to an internal or metadata service address.

Data Sources

Elastic Network EventsPacketbeatCisco CUCM

Required Tables

logs-network*packetbeat-*

False Positives & Tuning

  • Legitimate CUCM health checks that contact internal monitoring endpoints
  • Cluster replication traffic between CUCM nodes that appears as loopback connections
  • Automated deployment scripts that use internal IP parameters during provisioning
  • Load balancer health probes generating sequential internal connection patterns

Other platforms for CVE-2026-20230

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSRF Probe via CUCM Admin Interface URL Parameter

    Expected signal: HTTP GET request to /ccmadmin/ with redirectUrl parameter containing 169.254.169.254; subsequent outbound TCP connection from CUCM server to 169.254.169.254:80 if vulnerable

  2. Test 2SSRF via Gopher Protocol Scheme in CUCM API Parameter

    Expected signal: HTTP GET to /cucm-uds/ endpoint with gopher:// scheme in callback parameter; potential TCP connection from CUCM server to 127.0.0.1:6379 if exploitable

  3. Test 3SSRF Internal Network Scan via CUCM Redirect Parameter

    Expected signal: Multiple HTTP requests to /ccmuser/ with varying port numbers in src parameter containing RFC1918 addresses; timing differences in responses may reveal open ports on internal hosts if CUCM is vulnerable

Last updated: 2026-06-26 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20230 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1090.002External ProxyT1552.005Cloud Instance Metadata APIT1595.002Vulnerability Scanning

Same Tactic: Reconnaissance

Popular Detections