CVE-2026-20230 CrowdStrike LogScale · LogScale

Detect Cisco Unified Communications Manager SSRF Exploitation Detected in CrowdStrike LogScale

Detects exploitation attempts of CVE-2026-20230, a Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager (CUCM). An unauthenticated remote attacker may craft malicious HTTP requests to the CUCM web interface to cause the server to initiate requests to arbitrary internal or external destinations, potentially enabling internal network reconnaissance, credential theft via metadata services, or pivoting to internal resources.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4
| $src_ip = RemoteAddressIP4
| $dest_port = RemotePort
| search event_platform=Lin OR event_platform=Win
| join {
    #event_simpleName=ProcessRollup2
    | search ImageFileName=/(?i)(cucm|ciscoucm|ccmservice|tomcat)/
    | $process_name = ImageFileName
    | $pid = TargetProcessId
  } [pid=TargetProcessId]
| search (
    $dest_ip = "169.254.169.254" OR
    $dest_ip = "100.100.100.200" OR
    $dest_ip = /^127\./ OR
    $dest_ip = /^10\./ OR
    $dest_ip = /^172\.(1[6-9]|2[0-9]|3[01])\./ OR
    $dest_ip = /^192\.168\./
  )
| groupby [$src_ip, $dest_ip, $dest_port, $process_name]
| sort count desc
high severity low confidence

CrowdStrike CQL query to detect outbound network connections initiated by CUCM-related processes to internal RFC1918 or cloud metadata service addresses, which may indicate successful SSRF exploitation causing server-initiated requests.

Data Sources

CrowdStrike Falcon EDRNetwork Connection Events

Required Tables

NetworkConnectIP4ProcessRollup2

False Positives & Tuning

  • CUCM cluster replication traffic between nodes on RFC1918 address space
  • Legitimate CUCM service connections to internal database or LDAP servers
  • Monitoring agents running alongside CUCM that establish connections to internal endpoints
  • CUCM integration services connecting to internal telephony gateways or SIP proxies

Other platforms for CVE-2026-20230

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSRF Probe via CUCM Admin Interface URL Parameter

    Expected signal: HTTP GET request to /ccmadmin/ with redirectUrl parameter containing 169.254.169.254; subsequent outbound TCP connection from CUCM server to 169.254.169.254:80 if vulnerable

  2. Test 2SSRF via Gopher Protocol Scheme in CUCM API Parameter

    Expected signal: HTTP GET to /cucm-uds/ endpoint with gopher:// scheme in callback parameter; potential TCP connection from CUCM server to 127.0.0.1:6379 if exploitable

  3. Test 3SSRF Internal Network Scan via CUCM Redirect Parameter

    Expected signal: Multiple HTTP requests to /ccmuser/ with varying port numbers in src parameter containing RFC1918 addresses; timing differences in responses may reveal open ports on internal hosts if CUCM is vulnerable

Last updated: 2026-06-26 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20230 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1090.002External ProxyT1552.005Cloud Instance Metadata APIT1595.002Vulnerability Scanning

Same Tactic: Reconnaissance

Popular Detections