CVE-2026-20230 IBM QRadar · QRadar

Detect Cisco Unified Communications Manager SSRF Exploitation Detected in IBM QRadar

Detects exploitation attempts of CVE-2026-20230, a Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager (CUCM). An unauthenticated remote attacker may craft malicious HTTP requests to the CUCM web interface to cause the server to initiate requests to arbitrary internal or external destinations, potentially enabling internal network reconnaissance, credential theft via metadata services, or pivoting to internal resources.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  URL,
  username,
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source,
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%cisco%'
  AND (
    URL ILIKE '%169.254.169.254%'
    OR URL ILIKE '%metadata.google.internal%'
    OR URL ILIKE '%100.100.100.200%'
    OR URL ILIKE '%127.0.0.1%'
    OR URL ILIKE '%localhost%'
    OR URL ILIKE '%::1%'
    OR URL ILIKE '%file://%'
    OR URL ILIKE '%dict://%'
    OR URL ILIKE '%gopher://%'
    OR URL ILIKE '%ldap://%'
  )
  AND (
    URL ILIKE '%/ccmadmin/%'
    OR URL ILIKE '%/cucm-uds/%'
    OR URL ILIKE '%/ucmuser/%'
    OR URL ILIKE '%/ccmuser/%'
    OR URL ILIKE '%/cmplatform/%'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000
high severity medium confidence

QRadar AQL query to surface SSRF-indicative requests targeting Cisco CUCM web endpoints, filtering on known SSRF payloads including cloud metadata service addresses and non-HTTP schemes.

Data Sources

Cisco Unified Communications ManagerQRadar Network Activity

Required Tables

events

False Positives & Tuning

  • Security scanners performing authorized vulnerability assessments against CUCM
  • Internal monitoring tools checking CUCM reachability using IP-based parameters
  • CUCM administrative tasks that include internal addresses in URL parameters
  • Misconfigured integrations passing internal IPs in otherwise legitimate API calls

Other platforms for CVE-2026-20230

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSRF Probe via CUCM Admin Interface URL Parameter

    Expected signal: HTTP GET request to /ccmadmin/ with redirectUrl parameter containing 169.254.169.254; subsequent outbound TCP connection from CUCM server to 169.254.169.254:80 if vulnerable

  2. Test 2SSRF via Gopher Protocol Scheme in CUCM API Parameter

    Expected signal: HTTP GET to /cucm-uds/ endpoint with gopher:// scheme in callback parameter; potential TCP connection from CUCM server to 127.0.0.1:6379 if exploitable

  3. Test 3SSRF Internal Network Scan via CUCM Redirect Parameter

    Expected signal: Multiple HTTP requests to /ccmuser/ with varying port numbers in src parameter containing RFC1918 addresses; timing differences in responses may reveal open ports on internal hosts if CUCM is vulnerable

Last updated: 2026-06-26 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20230 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1090.002External ProxyT1552.005Cloud Instance Metadata APIT1595.002Vulnerability Scanning

Same Tactic: Reconnaissance

Popular Detections