Detect Cisco Unified Communications Manager SSRF Exploitation Detected in Splunk
Detects exploitation attempts of CVE-2026-20230, a Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager (CUCM). An unauthenticated remote attacker may craft malicious HTTP requests to the CUCM web interface to cause the server to initiate requests to arbitrary internal or external destinations, potentially enabling internal network reconnaissance, credential theft via metadata services, or pivoting to internal resources.
MITRE ATT&CK
SPL Detection Query
index=network OR index=cisco OR index=proxy sourcetype IN ("cisco:cucm", "cisco_cucm", "cisco:esa", "cef", "syslog")
| search (product="Unified Communications Manager" OR product="CUCM" OR host IN (cucm_hosts))
| rex field=_raw "(?i)(?:url|dest|redirect|callback|target|src)=(?P<extracted_url>[^&\s\"']+)"
| eval suspicious_ssrf=if(
match(extracted_url, "(?i)(169\.254\.169\.254|metadata\.google\.internal|100\.100\.100\.200|localhost|127\.0\.0\.1|::1|0\.0\.0\.0)") OR
match(extracted_url, "(?i)(file://|dict://|gopher://|ftp://|ldap://)") OR
match(uri_path, "(?i)(/ccmadmin/|/cucm-uds/|/ucmuser/|/ccmuser/|/cmplatform/)"),
1, 0)
| where suspicious_ssrf=1
| stats count as attempt_count, values(extracted_url) as ssrf_targets, dc(src_ip) as unique_sources, min(_time) as first_seen, max(_time) as last_seen by dest_ip, uri_path, http_method
| where attempt_count > 0
| eval risk_score=case(attempt_count > 50, "high", attempt_count > 10, "medium", true(), "low")
| table first_seen, last_seen, dest_ip, uri_path, http_method, ssrf_targets, attempt_count, unique_sources, risk_score
| sort - attempt_countIdentifies SSRF exploitation of Cisco CUCM by extracting URL parameters from CUCM web interface requests and matching against known SSRF indicators including metadata service addresses, loopback addresses, and non-HTTP URI schemes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testing or red team exercises against CUCM infrastructure
- Legitimate administrative URLs containing IP address parameters for cluster management
- Third-party integrations with CUCM that pass callback URLs containing internal addresses
- Health monitoring systems that poll CUCM APIs with internal destination parameters
Other platforms for CVE-2026-20230
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSRF Probe via CUCM Admin Interface URL Parameter
Expected signal: HTTP GET request to /ccmadmin/ with redirectUrl parameter containing 169.254.169.254; subsequent outbound TCP connection from CUCM server to 169.254.169.254:80 if vulnerable
- Test 2SSRF via Gopher Protocol Scheme in CUCM API Parameter
Expected signal: HTTP GET to /cucm-uds/ endpoint with gopher:// scheme in callback parameter; potential TCP connection from CUCM server to 127.0.0.1:6379 if exploitable
- Test 3SSRF Internal Network Scan via CUCM Redirect Parameter
Expected signal: Multiple HTTP requests to /ccmuser/ with varying port numbers in src parameter containing RFC1918 addresses; timing differences in responses may reveal open ports on internal hosts if CUCM is vulnerable
References (4)
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-cucm-ssrf-cXPnHcW.html
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20230
Unlock Pro Content
Get the full detection package for CVE-2026-20230 including response playbook, investigation guide, and atomic red team tests.